[keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

[Chris Smith]

Does anyone have feedback about getting a delegated GSSCredential?

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
Sent: Wednesday, January 23, 2019 10:12 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Here is a Diagram of what I'm trying to do

From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain

I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation

I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.

I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).

Less than 1% of the users will be using browsers on workstations in the Active Directory domain.

Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?