diff --git a/docbook/reference/en/en-US/modules/kerberos.xml b/docbook/reference/en/en-US/modules/kerberos.xml index 31c8d10bd7..c4ff1be190 100644 --- a/docbook/reference/en/en-US/modules/kerberos.xml +++ b/docbook/reference/en/en-US/modules/kerberos.xml @@ -215,10 +215,11 @@ ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG The scenario is supported by Keycloak, but there is tricky thing that SPNEGO authentication is done by Keycloak server but GSS credential will need to be used by your application. So you need to enable built-in gss delegation credential protocol mapper in admin console for your application. This will cause that Keycloak will deserialize GSS credential and transmit it to the application - in access token. Application will need to deserialize it and use it for further GSS calls against other services. + in access token. Application will need to deserialize it and use it for further GSS calls against other services. We have an example, which is showing it in details. It's in examples/kerberos + in the Keycloak appliance distribution or WAR distribution download. You can also check the example sources directly here . - GSSContext will need to + Once you deserialize the credential from the access token to the GSSCredential object, then GSSContext will need to be created with this credential passed to the method GSSManager.createContext for example like this: Note that you also need to configure forwardable kerberos tickets in krb5.conf file - and add support for delegated credentials to your browser. See the kerberos example from Keycloak example set for details. + and add support for delegated credentials to your browser. For details, see the kerberos example from Keycloak examples set as mentioned above.