On 08/08/18 13:33, Paolo Tedesco wrote:
Hi,
I'm trying to configure the GSS credential mapper for an application.
I've configured SPNEGO authentication on the server, and this is working.
Then I've created an application (confidential client) and add a gss delegation
credential mapper to the application, but I don't seem to get a claim with the GSS
credentials in the token after I authenticate. If I understood correctly, I should see a
claim in the access token named "gss_delegation_credential".
Is there anything else I need to configure, like some additional mappers?
I think
nothing else is needed on Keycloak side.
For the Kerberos, there is a need to configure the tickets as
"forwardable" in the kerberos client configuration (usually in
/etc/krb5.conf ). There might be also a need to configure browser (For
example in FF it is "|network.negotiate-auth.delegation-uris" ).
|
||Good thing to detect, if the delegation is missing at the SPNEGO flow
side or at Keycloak side is to enable DEBUG logging at least for the
category: org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator .
After successful login, you should see some message (see sources here):
String message =new StringBuilder("SPNEGO Security context accepted with token:
" +responseToken)
.append(", established: ").append(gssContext.isEstablished())
.append(", credDelegState: ").append(gssContext.getCredDelegState())
.append(", mutualAuthState: ").append(gssContext.getMutualAuthState())
.append(", lifetime: ").append(gssContext.getLifetime())
.append(", confState: ").append(gssContext.getConfState())
.append(", integState: ").append(gssContext.getIntegState())
.append(", srcName: ").append(gssContext.getSrcName())
.append(", targName: ").append(gssContext.getTargName())
.toString();
log.debug(message);
If you see the credDelegState is null, you know that you need to figure
at the Kerberos/SPNEGO flow level. Otherwise at Keycloak level.
For inspiration, you can take a look at the "kerberos" example from the
Keycloak-examples distribution, which is showing delegation.
Marek
Also, is it possible to get this gss_delegation_credential token only
authenticating with SPNEGO, or would it be possible to get it also with other
authentication mechanisms (e.g. x509 certificate, username and password)?
Thanks,
Paolo Tedesco
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user