Hi to all, at now i can’t implement a kerberos authentication so I can’t try it… but I’ve a doubt related to it.
after a correct kerberos authentication the user is imported in keycloak DB like a federated user?
it add the users to internal DB only after the authentication, I immagine that is not possible to make a proviosioning of all users…
I need to understand it because I need to add manualy some roles to these users in a authorization logic.
thanks
After kerberos authentication, I can confirm that the user is imported in keycloak DB just like a federated user. They can then get assigned roles, etc. in the console.
Thanks for reply!
If I integrate kerberos using a User federation with AD (and enabling kerberos inside the User Federation and not like a new user federation), I Immagine that in that case the users are the same users imported during the AD User Federation. in that case it will not create a new users.
is correct?
Keycloak “User Federation” with the Kerberos provider creates users in Keycloak with the AD SAM account name as the Keycloak Username. As far as I can tell, this does not appear to be configurable. These users only appear upon first login. In my case, the SAM format is FIRST.LAST.
My Keycloak “Identity Provider” with the SAML provider to AD-FS creates users in Keycloak with a custom account name for the Keycloak Username. In my case this is FIRST.LAST@AD-DOMAIN. Note that this not the same as Kerberos provider created usernames. This is by design. However, here the Keycloak Username is configurable through Keycloak’s “Identity Provider” fields for “Principal Type” and “Principal Attribute”. I also use a Username Template Importer to construct the username from a SAML claim.
Could an AD user be the same user in Keycloak regardless of using Keberos or SAML? Yes. If configured to do so, both could entry points could create users with the same Keycloak username format. In cases of clashes, the users could optionally link. That could depend on realm settings such as “Login with email” and “Duplicate emails” if the email addresses clash.
thanks for reply. maybe I don’t explain well my question.
configuring kerberos inside an AD user federation, so not a kerberos “stand alone” user federation, permit to not create a new user at kerberos login?
my goal is to use the same AD users imported during User Federation creation and I don’t want that kerberos login create a new user but since the AD is the same it validate the existing users.
I immagine that is possible and maybe it is the reason to have the kerberos integration inside the AD user federation.
thanks
Hi, at the end I’ve tested it in a lab and I can confirm that in case of kerberos inside a LDAP user storage provider the user that authenticate with kerberos is NOT created as new but the session is bound to the user imported from AD/LDAP.