Unfortunately yes. Kerberos is deeply ingrained in most of internal
applications/processes. While we can ask any new applications to use certificates, we have
to support Kerberos.
If that is not something that you will support, probably identity brokering would help. I
can write a Kerberos broker as long as it is given control ( need http request)
immediately by Keycloak, perhaps I can handle both authentication with key tabs (for
system accts) as well as SPNEGO for users
Sent from my iPhone
On Jan 30, 2015, at 9:01 AM, Stian Thorgersen
<stian(a)redhat.com> wrote:
----- Original Message -----
> From: "Raghu Prabhala" <prabhalar(a)yahoo.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>,
"keycloak-user" <keycloak-user(a)lists.jboss.org>
> Sent: Friday, 30 January, 2015 2:44:14 PM
> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>
> Great. Looking forward to the 1.2 Beta version.
> Regarding the system account support, from my perspective, it is very
> important because we have thousands of applications that interact with each
> other using system accounts (authentication with Kerberos with keytabs) and
> till we have that functionality, we will not be able to consider Keycloak as
> a SSO solution even though it is coming out to be a good product. The sooner
> we have it, the better. Hopefully, even other users will pitch in to request
> that functionality so that you can bump it up in your priority list.
> Thanks once again.Raghu
For your use-case would it have to be Kerberos? Only options we've been considering
are certificates and jwt/jws.
> From: Stian Thorgersen <stian(a)redhat.com>
> To: Raghu Prabhala <prabhalar(a)yahoo.com>
> Cc: keycloak dev <keycloak-dev(a)lists.jboss.org>; keycloak-user
> <keycloak-user(a)lists.jboss.org>
> Sent: Friday, January 30, 2015 2:10 AM
> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>
>
>
> ----- Original Message -----
>> From: "Raghu Prabhala" <prabhalar(a)yahoo.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>,
"keycloak-user"
>> <keycloak-user(a)lists.jboss.org>
>> Sent: Thursday, January 29, 2015 6:44:11 PM
>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released
>>
>> Congrats Keycloak team. A great deal of features in this release - really
>> like SAML and clustering.
>>
>> But what I am really looking for is the next release as we need all the
>> features you listed -any tentative dates for the beta version?
>
> We might do a beta soon, but that'll only include identity brokering. The
> other features will be at least a month away.
>
>>
>> The functionality provided so far seems to be targeted toward users
>> accounts.
>> When can we expect support for System accounts (with diff auth mechanisms
>> like certificates, Kerberos etc?
>
> Some time this year we aim to have system accounts with certificates, it'll
> depend on priorities. We don't have any plans to support Kerberos
> authentication with system accounts, but maybe that makes sense to add as
> well.
>
>
>
>>
>> Thanks,
>> Raghu
>>
>> Sent from my iPhone
>>
>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
>>>
>>> The Keycloak team is proud to announce the release of Keycloak
>>> 1.1.0.Final.
>>> Highlights in this release includes:
>>>
>>> * SAML 2.0
>>> * Clustering
>>> * Jetty, Tomcat and Fuse adapters
>>> * HTTP Security Proxy
>>> * Automatic migration of db schema
>>>
>>> We’re already started working on features for the next release. Some
>>> exiting features coming soon includes:
>>>
>>> * Identity brokering
>>> * Custom user profiles
>>> * Kerberos
>>> * OpenID Connect interop
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>