[keycloak-dev] [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
Chris Smith
chris.smith at cmfirstgroup.com
Thu Feb 7 16:56:30 EST 2019
I originally asked this on the user list but I'm making a change to Federation.
I had asked on the dev list earlier about this on the dev as I started to see how this would work
I got the Kerberos Ticket and serialized it to a Base 64 string. it deserializes to a GSSCredential
Now I have to put the Base 64 token into the access token
Any guidance?
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
Sent: Thursday, February 7, 2019 2:17 AM
To: Marek Posolda <mposolda at redhat.com>; Dmitry Telegin <dt at acutus.pro>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
So I made a small addition and stepped through the authenticate method
public Subject authenticateSubject(String username, String password) throws LoginException {
String principal = getKerberosPrincipal(username);
logger.debug("Validating password of principal: " + principal);
loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password),
createJaasConfiguration());
loginContext.login();
logger.debug("Principal " + principal + " authenticated succesfully");
** Subject subject = loginContext.getSubject();
** for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) {
** System.out.println(ticket.getClient().getName());
** }
return loginContext.getSubject();
}
The subject that is gotten from the loginContext has one KerberosTicket private credential
Googling has not given me any insight on where I go from here.
Do you have any suggestions?
-----Original Message-----
From: Marek Posolda <mposolda at redhat.com>
Sent: Tuesday, January 29, 2019 4:07 AM
To: Dmitry Telegin <dt at acutus.pro>; Chris Smith <chris.smith at cmfirstgroup.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
+1
GSSCredential is used just during SPNEGO authentication. You may possibly change the built-in authentication flows or userStorage provider, so that after verification with username/password, the GSSCredential will be somehow obtained from the JAAS Subject used for the authentication (See class KerberosUsernamePasswordAuthenticator for the details).
However I am not sure if this is really possible and it will require some more deep-dive into the Keycloak codebase and Kerberos implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
> Hello Chris,
>
> AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.
>
> Cheers,
> Dmitry
>
> On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> Does anyone have feedback about getting a delegated GSSCredential?
>>
>> -----Original Message-----
>>> From: keycloak-user-bounces at lists.jboss.org
>>> <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
>> Sent: Wednesday, January 23, 2019 10:12 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>> not in Active Directory domain
>>
>> Here is a Diagram of what I'm trying to do
>>
>> From: Chris Smith
>> Sent: Wednesday, January 23, 2019 8:08 AM
>>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
>> Subject: Get a GSSCredential when user browser is not in Active
>> Directory domain
>>
>> I have setup my servlet to authenticate a user my web app using
>> Keycloak Active Directory ldap user federation
>>
>> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain.
>> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
>>
>> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>>
>> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
>>
>> Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-dev
mailing list