Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3842

SPNEGO: Support for multiple kerberos realms

    XMLWordPrintable

Details

    Description

      Usecase:

      • I have environment with 2 kerberos realms (eg. REALM1.ORG and REALM2.ORG )
      • I want to configure both kerberos realms in Keycloak realm
      • During user authentication, if I receive SPNEGO header like: "Authorization: Negotiate some-token", I want to first try the SPNEGO authentication against kerberos realm REALM1.ORG.
        If it fails, then fallback to second realm REALM2.ORG .
        Only if the second realm fails too, just fallback to username/password form (or other configured authenticators) as it is now.

      Implementation note:
      Kerberos handshake can be done in multiple steps (HTTP requests). So it seems we will need to track the initial SPNEGO token sent by the browser in clientSession note, so the authenticator for REALM2 will be able to start with the initial token sent in the first request.

      Example flow:
      1) Browser sent "Authorization: Negotiate request-token-1"
      2) SPNEGO authenticator for REALM1 returns "WWW-Authenticate: Negotiate response-token1"
      3) Browser sent "Authorization: Negotiate request-token-2"
      4) SPNEGO authenticator for REALM1 fails the SPNEGO handshake with request-token-2
      5) Now I want to re-try SPNEGO authentication with REALM2. But I need the original token "request-token1" because browser won't send me another one. That's why the "request-token1" would be probably needed to be stored in the clientSession

      Attachments

        Issue Links

          causes

          Enhancement - An enhancement or refactoring of existing functionality RHSSO-1196 [GSS] Support for multiple kerberos realms (cross domain trust)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is duplicated by

          Enhancement - An enhancement or refactoring of existing functionality KEYCLOAK-2951 SSO does not work if more than one federation provider (ldap with kerberos) is registered

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is related to

          Task - A task that needs to be done. KEYCLOAK-6038 Automated test for Kerberos cross-realm trust

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Task - A task that needs to be done. KEYCLOAK-8029 Documentation for Kerberos cross-realm trust

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Enhancement - An enhancement or refactoring of existing functionality KEYCLOAK-6225 Support for provider fallback during authentication flow when authenticating with Kerberos

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement or refactoring of existing functionality KEYCLOAK-7270 First Broker Login Link Without Authentication

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: KEYCLOAK

              People

                mposolda@redhat.com Marek Posolda
                mposolda@redhat.com Marek Posolda
                Pavel Drozd Pavel Drozd
                Votes:
                5 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: