A bit more details about Kerberos and LDAP mappers in docs
This commit is contained in:
parent
975dcb68a9
commit
804fb2dc96
2 changed files with 32 additions and 2 deletions
|
@ -154,7 +154,7 @@ ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Finally run Keycloak server and configure SPNEGO/Kerberos authentication in Keycloak admin console. Keycloak supports Kerberos authentication
|
Run Keycloak server and configure SPNEGO/Kerberos authentication in Keycloak admin console. Keycloak supports Kerberos authentication
|
||||||
through <link linkend='user_federation'>Federation provider SPI</link> . We have 2 federation providers with Kerberos authentication support:
|
through <link linkend='user_federation'>Federation provider SPI</link> . We have 2 federation providers with Kerberos authentication support:
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -185,6 +185,20 @@ ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Finally you may need to check the Kerberos authenticator correctly configured. You can go to <literal>Authentication</literal> tab in
|
||||||
|
admin console and select <literal>Browser</literal> flow. Here you will see <literal>Kerberos</literal> authenticator, which is used by Keycloak for SPNEGO
|
||||||
|
handshake with client (exchange <literal>Negotiate</literal> header etc.). By default it's disabled, so Keycloak doesn't ask for Negotiate header, however once you
|
||||||
|
configured federation provider in previous step, it's automatically switched to <literal>ALTERNATIVE</literal>. So defacto you don't need to do anything, just
|
||||||
|
check that it's really switched to Alternative.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Alternative means that Keycloak tries to ask browser for Negotiate header, but if it's not available, it will continue on next authenticator (which usually means
|
||||||
|
displaying username/password form to user). You can switch to <literal>REQUIRED</literal> if you want to enforce login with
|
||||||
|
kerberos ticket and not allow fallback to username/password form.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
|
|
|
@ -294,8 +294,24 @@
|
||||||
We have an example, which is showing LDAP integration and set of base mappers and sample mappers (mappers for street and postalCode) . It's in <literal>examples/ldap</literal>
|
We have an example, which is showing LDAP integration and set of base mappers and sample mappers (mappers for street and postalCode) . It's in <literal>examples/ldap</literal>
|
||||||
in the Keycloak example distribution or demo distribution download. You can also check the example sources directly <ulink url="https://github.com/keycloak/keycloak/blob/master/examples/ldap">here</ulink> .
|
in the Keycloak example distribution or demo distribution download. You can also check the example sources directly <ulink url="https://github.com/keycloak/keycloak/blob/master/examples/ldap">here</ulink> .
|
||||||
</para>
|
</para>
|
||||||
|
<section>
|
||||||
|
<title>Writing your own LDAP Mapper</title>
|
||||||
|
<para>
|
||||||
|
For the more advanced usecases, you have the possibility to create your own implementation of LDAP mapper or just subclass from
|
||||||
|
some already existing mapper implementation. You will need to implement <literal>UserFederationMapperFactory</literal> interface. In most cases, instead of
|
||||||
|
creating <literal>UserFederationMapperFactory</literal> from scratch, you can create subclasses of <literal>AbstractLDAPFederationMapperFactory</literal>, which itself
|
||||||
|
implements <literal>UserFederationMapperFactory</literal>. Then you need to create mapper implementation, which will be subclass of
|
||||||
|
<literal>AbstractLDAPFederationMapper</literal> (this mapper implementation will be returned by <literal>YourAbstractLDAPFederationMapperFactorySubclass.createMapper</literal> method).
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
After your code is written you must package up all your classes within a JAR file. This jar file must contain a file called
|
||||||
|
<literal>org.keycloak.mappers.UserFederationMapperFactory</literal> within the <literal>META-INF/services directory</literal> of the JAR. This file is a list of fully
|
||||||
|
qualified classnames of all implementations of <literal>UserFederationMapperFactory</literal>. For more details, look at section for
|
||||||
|
<link linkend="write_federation_provider">Write your own federation provider</link> and at <link linkend="providers">Providers and SPI</link> section.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section id="write_federation_provider">
|
||||||
<title>Writing your own User Federation Provider</title>
|
<title>Writing your own User Federation Provider</title>
|
||||||
<para>
|
<para>
|
||||||
The keycloak examples directory contains an example of a simple User Federation Provider backed by
|
The keycloak examples directory contains an example of a simple User Federation Provider backed by
|
||||||
|
|
Loading…
Reference in a new issue