We have an issue in a distributed environment where when we login, with our authentication adapter. After a while, users session is redirected to login.
Where are tokens stored on the mobilefirst server? Is that configurable?
Related
I have a Web App that uses Keycloak/OpenID Connect to authenticate a user to an Windows AD.
Users will not be using a browser on a workstation in the Windows AD domain.
The Web App server (Tomcat with Keycloak adapter) is running in the Windows AD domain.
The Web App is configured for Keycloak/OpenID Connect.
Keycloak realm is configured to use the Windows AD Kerberos/LDAP.
The user browser forwards to the keycloak login and following a successful login, forwards back to the web app.
The Web App needs to connect to an IBM i using Kerberos ticket/GSS Credential
The IBM i is configured for SSO/EIM using the Windows AD. It works.
I configured the Keycloak client for GSS Credential Forwarding.
I try to get the GSS Credential from the Servlet request using the Keycloak client
// Obtain accessToken in your application.
KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
String username = at.getPreferredUsername();
wtr.append("Windows User: ").append(username).append(newLine);
// Retrieve kerberos credential from accessToken and deserialize it
Map<String, Object> otherClaims = at.getOtherClaims();
Object otherClaim = otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
String serializedGSSCred = (String) otherClaim;
GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGSSCred);
The "otherClaims" map is empty.
So deserializing throws a null pointer exception with the message
org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_152, runtime version: 1.8.0_152-b16, vendor: Oracle Corporation, os: 6.2
at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
What am I missing?
As "Users will not be using a browser on a workstation in the Windows AD domain", Keycloak will never receive GSS credentials from browser and so cannot forward them to your Java Web App.
As far as I found in Keycloak documentation Kerberos section, Keycloak does not support Kerberos Constrained Delegation (yet) and so cannot impersonate user - i.e. generate a TGT on behalf on end-user based on its login name.
From my point of view, your Java Web App has to invoke Kerberos Constrained Delegation S4U2Self for impersonation and then request a TGS for expected SPN with S4U2Proxy to autenticate with IBM i service.
You can report to following examples to get that achieved:
https://github.com/ymartin59/java-kerberos-sfudemo
https://github.com/tellisnz/collared-kerberos
For the browser to be able to negotiate (SPNEGO) it needs to be on the AD domain (also the delegation needs to be setup at the AD level, using msDS-AllowedToDelegateTo field) in order for the KC to impersonate the user on the backend service.
I would expect you get a 401 (Unauthorized) to which your browser cannot respond as it won't be able to get a kerberos ticket.
You could in theory do basic authentication against the web server, get a kerberos ticket on your webapp and forward it to the backend...
I have an app running on Linux that needs to access a database via the end user's identity. Currently the user logs into the app by entering their email address and password in a form. The email address and password is validated against LDAP. The user's group memberships are retrieved from LDAP and used to set the security groups and roles in my application. I cache the password and can use it to connect to the database on behalf of that user as needed. This works since via the SSO integration the passwords that work with LDAP also work with the database.
The customer wants to move to SAML authentication. The problem is that my app will never get the password, so I never get a chance to cache it for later use. I need a way to authentication to the database on behalf of that user.
One possibility would be if the SAML provider could pass back a Kerberos token. I could then use that Kerberos identity to authenticate to the database on behalf of the user.
The customer is using Tivoli Federated Identity Manager 6.2.2 for SAML with Active Directory providing LDAP/Kerberos. My application is written in JRuby (Ruby on the JVM) so my Kerberos authentication would use Java's facilities, and my database connectivity would use JDBC.
I have a jasper server 6.3 commercial version. I have created set of users in jasper. Also I have a an application where the same users will be authenticated and have the auth token. I need to pass the token with the request to jasper and login by that user. without getting the login screen,
I read the token based authentication cookbook and it only covers the authentication with external users who are not previously created in jasper.
I thought of putting a custom authentication provider for this. would that be a good option ?
Please help.
Thanks.
Thusira.
I’m not very clear on how Single Log out works with CAS server 4.1 and hope for a clear and simple explanation to help resolve an issue i’m having with my client applications.
Currently SSO works fine with my two applications.
Users can login to application A,B and C, A and B are Ruby on Rails applications using ruby-cas client. C is a Java application using acegi security(Now Spring security)
When users logout of application A, they are redirected to CAS server logout view, but are still logged in to application B,C. Same goes for logging out of B,C.
Is SLO for Cas server 4.1 enabled by default?
Does SLO require any special configuration to work on CAS server?
Is there a way to get and store the cas TGT cookie (value of cas cookie)?
Probably not the ideal Solution but it seems to do the job. Using CAS server 4.1
Edit the ticketGrantingTicketCookieGenerator.xml file in the spring-configuration.
Deploy CAS server as ROOT application, to avoid editing InitialFlowSetupAction.java class.
Changing the path of the cas ticket granting ticket with wildcard domain is not recommended for security reasons. In this particular cas to achieve single logout required it.
First create a filter in your application to save cas ticket granting cookie value to your session and on each request checks that the cookie valued saved in your session matches the cookie value from the request, if not invalidate the session and user will be redirected to CAS login, else it's business as usual.
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
c:casCookieValueManager-ref="cookieValueManager"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="TGC"
p:cookieDomain=".example.org"
p:cookiePath="/"/>
We have implemented kerberos based SSO for my application, it is integrated with domain1.com users and it is working fine. But there are few accounts which are not in domain1.com domain, they are in domain2.com so we wanted to provide our custom login screen for entering user credentials and then we wanted to authenticate it with ldap with our own java code. So the scenario is, if user is trying to access my application then sso should happen automatically if he falls in domain1.com otherwise showing the customised login screen where in he enters user credentials then application will authenticate it and grants the application resources.
How to achieve this?
Websphere 7+ has support for fall back to application authentication mechanism.
In admin console: Do the following steps.
Goto Security > Global security > SPNEGO web authentication
Select Allow fall back to application authentication mechanism
You can find more information here