183 lines
11 KiB
Text
Executable file
183 lines
11 KiB
Text
Executable file
[[_kerberos]]
|
|
|
|
=== Kerberos
|
|
|
|
{{book.project.name}} supports login with a Kerberos ticket through the SPNEGO protocol.
|
|
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is used to authenticate transparently through the web browser after the user
|
|
has been authenticated when logging-in his session.
|
|
For non-web cases or when ticket is not available during login, {{book.project.name}} also supports login with Kerberos username/password.
|
|
|
|
A typical use case for web authentication is the following:
|
|
|
|
. User logs into his desktop (Such as a Windows machine in Active Directory domain or Linux machine with Kerberos integration enabled).
|
|
. User then uses his browser (IE/Firefox/Chrome) to access a web application secured by {{book.project.name}}.
|
|
. Application redirects to {{book.project.name}} login.
|
|
. {{book.project.name}} renders HTML login screen together with status 401 and HTTP header `WWW-Authenticate: Negotiate`
|
|
. In case that the browser has Kerberos ticket from desktop login, it transfers the desktop sign on information to the {{book.project.name}}
|
|
in header `Authorization: Negotiate 'spnego-token'` . Otherwise it just displays the login screen.
|
|
. {{book.project.name}} validates token from the browser and authenticates the user.
|
|
It provisions user data from LDAP (in case of LDAPFederationProvider with Kerberos authentication support) or let user
|
|
to update his profile and prefill data (in case of KerberosFederationProvider).
|
|
. {{book.project.name}} returns back to the application.
|
|
Communication between {{book.project.name}} and application happens through OpenID Connect or SAML messages.
|
|
The fact that {{book.project.name}} was authenticated through Kerberos is hidden from the application.
|
|
So {{book.project.name}} acts as broker to Kerberos/SPNEGO login.
|
|
|
|
For setup there are 3 main parts:
|
|
|
|
. Setup and configuration of Kerberos server (KDC)
|
|
. Setup and configuration of {{book.project.name}} server
|
|
. Setup and configuration of client machines
|
|
|
|
==== Setup of Kerberos server
|
|
|
|
This is platform dependent.
|
|
Exact steps depend on your OS and the Kerberos vendor you're going to use.
|
|
Consult Windows Active Directory, MIT Kerberos and your OS documentation for how exactly to setup and configure Kerberos server.
|
|
|
|
At least you will need to:
|
|
|
|
* Add some user principals to your Kerberos database.
|
|
You can also integrate your Kerberos with LDAP, which means that user accounts will be provisioned from LDAP server.
|
|
* Add service principal for "HTTP" service.
|
|
For example if your {{book.project.name}} server will be running on `www.mydomain.org` you may need to add principal `HTTP/www.mydomain.org@MYDOMAIN.ORG`
|
|
assuming that MYDOMAIN.ORG will be your Kerberos realm.
|
|
+
|
|
For example on MIT Kerberos you can run "kadmin" session.
|
|
If you are on same machine where is MIT Kerberos, you can simply use command:
|
|
|
|
[source]
|
|
----
|
|
sudo kadmin.local
|
|
----
|
|
Then add HTTP principal and export his key to keytab file with the commands like:
|
|
|
|
[source]
|
|
----
|
|
|
|
addprinc -randkey HTTP/www.mydomain.org@MYDOMAIN.ORG
|
|
ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
|
|
----
|
|
|
|
Keytab file `/tmp/http.keytab` will need to be accessible on the host where {{book.project.name}} server will be running.
|
|
|
|
==== Setup and configuration of {{book.project.name}} server
|
|
|
|
You need to install a kerberos client on your machine. This is also platform dependent.
|
|
If you are on Fedora, Ubuntu or RHEL, you can install the package `freeipa-client`, which contains a Kerberos client and bunch of other utilities.
|
|
Configure kerberos client (on linux it's in file `/etc/krb5.conf` ). You need to put your Kerberos realm and at least configure the HTTP domains your server will be running on.
|
|
For the example realm MYDOMAIN.ORG you may configure `domain_realm` section like this:
|
|
|
|
[source]
|
|
----
|
|
[domain_realm]
|
|
.mydomain.org = MYDOMAIN.ORG
|
|
mydomain.org = MYDOMAIN.ORG
|
|
----
|
|
|
|
Next you need to export the keytab file with the HTTP principal and make sure the file is accessible to the process under which {{book.project.name}} server is running.
|
|
For production, it's ideal if it's readable just by this process and not by someone else.
|
|
For MIT Kerberos example above, we already exported keytab to `/tmp/http.keytab` . If your KDC and {{book.project.name}} are running on same host,
|
|
you have that file already available.
|
|
|
|
===== Enable SPNEGO Processing
|
|
|
|
{{book.project.name}} does not have SPNEGO protocol support turned on by default. So, you have to go to the <<fake/../../authentication/flows.adoc#_authentication-flows, browser flow>>
|
|
and enable `Kerberos`.
|
|
|
|
.browser flow
|
|
image:../../{{book.images}}/browser-flow.png[]
|
|
|
|
Switch the `Kerbros` requirement from _disabled_ to either _alternative_ or _required_. _Alternative_ basically means that Kerberos is optional. If
|
|
the user's browser hasn't been configured to work with SPNEGO/Kerberos, then {{book.project.name}} will fall back to the regular login screens. If you set the requirement
|
|
to _required_ then all users must have Kerberos enabled for their browser.
|
|
|
|
===== Configure Kerberos User Storage Federation Provider
|
|
|
|
Now that the SPNEGO protocol is turned on at the authentication server, you'll need to configure how {{book.project.name}} interprets the Kerberos ticket.
|
|
This is done through <fake/../../user-federation.adoc#_user-storage-federation,User Storage Federation>>. We have 2 different federation providers with Kerberos authentication support.
|
|
|
|
If you want to authenticate with Kerberos backed by an LDAP server, you have to first configure the <<fake/../../user-federation/ldap.adoc#_ldap, LDAP Federation Provider>>.
|
|
If you look at the configuration page for your LDAP provider you'll see a `Kerberos Integration` section.
|
|
|
|
.LDAP Kerberos Integration
|
|
image:../../{{book.images}}/ldap-kerberos.png[]
|
|
|
|
Turning on the switch `Allow Kerberos authentication` will make {{book.project.name}} use the Kerberos principal to lookup information about the user so that it can
|
|
be imported into the {{book.project.name}} environment.
|
|
|
|
If your Kerberos solution is not backed by an LDAP server, you have to use the `Kerberos` User Storage Federation Provider. Go to the `User Federation`
|
|
left menu item and select `Kerberos` from the right `Add provider` select box.
|
|
|
|
.Kerberos User Storage Provider
|
|
image:../../{{book.images}}/kerberos-provider.png[]
|
|
|
|
This provider simply parses the Kerberos ticket for principal information and does a small import into the local {{book.project.name}} database.
|
|
User profile information like first name, last name, and email are not provisioned. Just simple user principal information.
|
|
|
|
==== Setup and configuration of client machines
|
|
|
|
Clients need to install kerberos client and setup krb5.conf as described above.
|
|
Additionally they need to enable SPNEGO login support in their browser.
|
|
See link:http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html[configuring Firefox for Kerberos] if you are using that browser.
|
|
URI `.mydomain.org` must be allowed in `network.negotiate-auth.trusted-uris` config option.
|
|
|
|
In windows domain, clients usually don't need to configure anything special as IE is already able to participate in SPNEGO authentication for the windows domain.
|
|
|
|
{% if book.community %}
|
|
==== Example setups
|
|
|
|
For easier testing with Kerberos, we provided some example setups to test.
|
|
|
|
===== {{book.project.name}} and FreeIPA docker image
|
|
|
|
Once you install https://www.docker.com/[docker], you can run docker image with http://www.freeipa.org/[FreeIPA] server installed.
|
|
FreeIPA provides integrated security solution with MIT Kerberos and 389 LDAP server among other things . The image provides also {{book.project.name}}
|
|
server configured with LDAP Federation provider and enabled SPNEGO/Kerberos authentication against the FreeIPA server.
|
|
See details https://github.com/mposolda/keycloak-freeipa-docker/blob/master/README.md[here] .
|
|
|
|
===== ApacheDS testing Kerberos server
|
|
|
|
For quick testing and unit tests, we use very simple http://directory.apache.org/apacheds/[ApacheDS] Kerberos server.
|
|
You need to build {{book.project.name}} from sources and then run Kerberos server with maven-exec-plugin from our testsuite.
|
|
See details https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#kerberos-server[here] .
|
|
{% endif %}
|
|
|
|
==== Credential delegation
|
|
|
|
Kerberos 5 supports the concept of credential delegation. In this scenario, your applications may want access to the Kerberos ticket so that
|
|
they can re-use it to interact with other services secured by Kerberos. Since the SPNEGO protocol is processed in the {{book.project.name}} server,
|
|
you have to propagate the GSS credential to your application
|
|
within the OpenID Connect token claim or a SAML assertion attribute that is transmitted to your application from the {{book.project.name}} server.
|
|
To have this claim inserted into the token or assertion, each application will need to enable the built-in protocol mapper called `gss delegation credential`.
|
|
This is enabled in the `Mappers` tab of the application's
|
|
client page. See <<fake/../../clients/protocol-mappers.adoc#_protocol-mappers, Protocol Mappers>> chapter for more details.
|
|
|
|
Applications will need to deserialize the claim it receives from {{book.project.name}} before it can use it to make GSS calls against other services.
|
|
We have an example, that shows this in detail.
|
|
It's in `examples/kerberos` in the {{book.project.name}} example distribution or demo distribution download.
|
|
You can also check the example sources directly https://github.com/keycloak/keycloak/blob/master/examples/kerberos[here] .
|
|
|
|
Once you deserialize the credential from the access token to the GSSCredential object, then GSSContext will need to be created with this credential
|
|
passed to the method `GSSManager.createContext` for example like this:
|
|
|
|
[source]
|
|
----
|
|
GSSContext context = gssManager.createContext(serviceName, krb5Oid,
|
|
deserializedGssCredFromKeycloakAccessToken, GSSContext.DEFAULT_LIFETIME);
|
|
----
|
|
|
|
Note that you also need to configure `forwardable` kerberos tickets in `krb5.conf` file and add support for delegated credentials to your browser.
|
|
For details, see the kerberos example from {{book.project.name}} examples set as mentioned above.
|
|
|
|
WARNING: Credential delegation has some security implications so only use it if you really need it.
|
|
It's highly recommended to use it together with HTTPS.
|
|
See for example http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html#idp27072[this article] for more details.
|
|
|
|
==== Troubleshooting
|
|
|
|
If you have issues, we recommend that you enable additional logging to debug the problem:
|
|
|
|
* Enable `Debug` flag in admin console for Kerberos or LDAP federation providers
|
|
* Enable TRACE logging for category `org.keycloak` in logging section of `$WILDFLY_HOME/standalone/configuration/standalone.xml` to receive more info `$WILDFLY_HOME/standalone/log/server.log`
|
|
* Add system properties `-Dsun.security.krb5.debug=true` and `-Dsun.security.spnego.debug=true`
|