[keycloak-user] Valid Sender ? - Re: Authentication fails for OTP user with kerberos
Jochen Hein
jochen at jochen.org
Wed Jan 17 16:48:42 EST 2018
Marek Posolda <mposolda at redhat.com> writes:
> The integration with FreeIPA is suppose to use SSSD userStorage
> provider. Have few questions to clarify:
>
> 1. If you have SSSD provider and your user doesn't have kerberos
> ticket, is Keycloak authentication work for both password-only and
> password+otp users?
Yes, that is correct.
> 2. If you have SSSD provider and your user has kerberos ticket, are
> you able to authenticate with Kerberos+SPNEGO?
No, I'm not able to connect with Kerberos. I did the following:
- I created a new realm "sso"
- There is one User Federation "sssd"
- In the SSSD provider /etc/sssd/sssd.conf:
[ifp]
allowed_uids = root, keycloak
user_attributes = +mail, +telephoneNumber, +givenname, +sn
- Under Authentication -> Flows I've added "Kerberos" as "Alternative"
to the browser flow.
- When I open https://saml.example.org/auth/realms/sso/account/ I'll see
in server.log:
2018-01-17 22:37:02,825 WARN [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-4) Received kerberos token, but there is no user storage provider that handles kerberos credentials.
I'm not logged in, but can authenticate with password+OTP.
As far as I understood, only Kerberos and LDAP user storage can handle
kerberos authentication. I also tried to have to user federations (sssd
and kerberos), but I only got one to work in the realm.
Jochen
--
This space is intentionally left blank.
More information about the keycloak-user
mailing list