[keycloak-dev] Adding GSSCrential as a claim when user browser is not running on the Active Directory domain

Chris Smith chris.smith at cmfirstgroup.com
Mon Feb 4 06:40:50 EST 2019

I have a requirement for getting a GSS Credential that will be generated from the Kerberos Server implemented by Windows Active Directory will be used to connect to an IBM host using IBM EIM (Enterprise Identity Mapping).
So I have GSS Credential delegation working when the user browser is running on a workstation in the AD domain.
I get the GSS Credential from other claims and it works to connect the user to the IBM host

My problem is 99.9% of the users workstations will not be members of the AD domain.

I can thank my misunderstanding of SPNEGO and GSS Credential delegation for this unfortunate mess.

So I'm guessing that I will have to create a new SPI that extends the Kerberos User/Password validation that I already have working.
I'm further guessing that I can, when the browser workstation is not in the AD Domain, I can add the credential in other claims

Any guidance?

More information about the keycloak-dev mailing list