8:08 a.m.
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory
ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation
in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate
the user id and password entered on the keycloak login page, but there will not be a
Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and
JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory
domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO
is not available from the browser?
8:11 a.m.
Here is a Diagram of what I'm trying to do
From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory
ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation
in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate
the user id and password entered on the keycloak login page, but there will not be a
Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and
JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory
domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO
is not available from the browser?
9:04 p.m.
Does anyone have feedback about getting a delegated GSSCredential?
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Chris Smith
Sent: Wednesday, January 23, 2019 10:12 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
Here is a Diagram of what I'm trying to do
From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory
ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation
in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate
the user id and password entered on the keycloak login page, but there will not be a
Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and
JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory
domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO
is not available from the browser?
12:21 a.m.
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's
possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP
authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
Does anyone have feedback about getting a delegated GSSCredential?
-----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
Sent: Wednesday, January 23, 2019 10:12 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
Here is a Diagram of what I'm trying to do
From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
> > To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory
ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a
workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate
the user id and password entered on the keycloak login page, but there will not be a
Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and
JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory
domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO
is not available from the browser?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:07 p.m.
+1
GSSCredential is used just during SPNEGO authentication. You may
possibly change the built-in authentication flows or userStorage
provider, so that after verification with username/password, the
GSSCredential will be somehow obtained from the JAAS Subject used for
the authentication (See class KerberosUsernamePasswordAuthenticator for
the details).
However I am not sure if this is really possible and it will require
some more deep-dive into the Keycloak codebase and Kerberos
implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's
possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP
authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
>
> -----Original Message-----
>> From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
>
> Here is a Diagram of what I'm trying to do
>
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
>>> To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active Directory domain
>
> I have setup my servlet to authenticate a user my web app using Keycloak Active
Directory ldap user federation
>
> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a
workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will
authenticate the user id and password entered on the keycloak login page, but there will
not be a Delegated GSSCredential in the Access Token in my servlet.
>
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400)
and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>
> Less than 1% of the users will be using browsers on workstations in the Active
Directory domain.
>
> Can Keycloak put a GSSCredential for the logged in user in the Access Token when
SPNEGO is not available from the browser?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:17 p.m.
So I made a small addition and stepped through the authenticate method
public Subject authenticateSubject(String username, String password) throws
LoginException {
String principal = getKerberosPrincipal(username);
logger.debug("Validating password of principal: " + principal);
loginContext = new LoginContext("does-not-matter", null,
createJaasCallbackHandler(principal, password),
createJaasConfiguration());
loginContext.login();
logger.debug("Principal " + principal + " authenticated
succesfully");
** Subject subject = loginContext.getSubject();
** for (KerberosTicket ticket :
subject.getPrivateCredentials(KerberosTicket.class)) {
** System.out.println(ticket.getClient().getName());
** }
return loginContext.getSubject();
}
The subject that is gotten from the loginContext has one KerberosTicket private
credential
Googling has not given me any insight on where I go from here.
Do you have any suggestions?
-----Original Message-----
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Tuesday, January 29, 2019 4:07 AM
To: Dmitry Telegin <dt(a)acutus.pro>; Chris Smith
<chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
+1
GSSCredential is used just during SPNEGO authentication. You may possibly change the
built-in authentication flows or userStorage provider, so that after verification with
username/password, the GSSCredential will be somehow obtained from the JAAS Subject used
for the authentication (See class KerberosUsernamePasswordAuthenticator for the details).
However I am not sure if this is really possible and it will require some more deep-dive
into the Keycloak codebase and Kerberos implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's
possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP
authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
>
> -----Original Message-----
>> From: keycloak-user-bounces(a)lists.jboss.org
>> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
>
> Here is a Diagram of what I'm trying to do
>
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
>>> To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
>
> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
>
> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a
workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will
authenticate the user id and password entered on the keycloak login page, but there will
not be a Delegated GSSCredential in the Access Token in my servlet.
>
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400)
and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>
> Less than 1% of the users will be using browsers on workstations in the Active
Directory domain.
>
> Can Keycloak put a GSSCredential for the logged in user in the Access Token when
SPNEGO is not available from the browser?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2138
days inactive
2152
days old
5 comments
3 participants
participants (3)
-
Chris Smith -
Dmitry Telegin -
Marek Posolda