Thank you Dmitry
My Keycloak realm is setup for LDAP/Kerberos authentication with a Windows Active
Directory domain.
So I am getting a delegated GSSCredential in my AccessToken when I access my Web App from
a properly configured browser (SPNEGO) on a workstation in the Windows Active Directory
Domain.
If the browser is not configured for SPNEGO or the workstation is not a member of the
Windows Active Directory Domain, The browser is redirected to the Keycloak log in page
After entering a correct user and password, the browser is redirected back to the Web
App.
This step is what I need to successfully authenticate a Windows AD User ID/password
combination and it works.
My problem is there is no claim in the AccessToken for a GSSCredential.
I have an absolute requirement for a GSSCredential for that Windows AD User ID/Password.
The GSSCredential is to be used in the web app to connect to an IBM i (aka AS/400) for
calling RPG and COBOL programs.
The IBM i is Configured to accept the GSSCredential and it works when the workstation is a
member of the Windows AD domain and the browser is configured for SPNEGO.
Can Keycloak be configured to put a GSSCredential in the AccessToken when Keycloak
authenticates the Windows AD User id/Password?
If not, would it be a large effort to add a plugin that would put a GSSCredential in the
AccessToken?
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: Monday, January 28, 2019 2:21 PM
To: Chris Smith <chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's
possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP
authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
Does anyone have feedback about getting a delegated GSSCredential?
-----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
Sent: Wednesday, January 23, 2019 10:12 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
not in Active Directory domain
Here is a Diagram of what I'm trying to do
From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
> > To: 'keycloak-user(a)lists.jboss.org'
> > <keycloak-user(a)lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active
Directory domain
I have setup my servlet to authenticate a user my web app using
Keycloak Active Directory ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a
workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate
the user id and password entered on the keycloak login page, but there will not be a
Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and
JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory
domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO
is not available from the browser?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user