The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

This topic is about the use of Kerberos strictly on the IdP server. If you're looking for the end-to-end use of Kerberos with a web browser using the SPNEGO GSS-API mechanism (often referred to as desktop authentication), see the SPNEGOAuthnConfiguration topic.

Current File(s): conf/authn/krb5-authn-config.xml

Format: Native Spring

V2 Legacy File(s): conf/handler.xml, conf/login.config

Overview

This back-end for the password authentication login flow uses the Oracle Java implementation's Kerberos library for password-based authentication instead of using a JAAS module. The primary advantage is the additional capability to prevent a rogue KDC from spoofing responses by validating its knowledge of a service principal key configured locally in a keytab file, which is a standard practice for safe use of Kerberos.

General Configuration

Configuring Kerberos as a back-end requires that the right import is active in authn/password-authn-config.xml:

Import in authn/password-authn-config.xml
<import resource="krb5-authn-config.xml" />

The other imports must be commented or removed.

A few beans are defined in authn/krb5-authn-config.xml to configure this back-end by setting some Kerberos-related options.

A bean alias is also defined that instantiates the Kerberos back-end action as the "ValidateUsernamePassword" step of the web flow. This must not be changed.

Kerberos Configuration

The actual Kerberos configuration is managed in a conf or ini file that can be placed in a number of different locations. On non-Windows servers, using a system-wide configuration in /etc/krb5.conf is generally advised. It's possible to have Java-specific configurations and/or provide the path to a configuration using a system property, as discussed here.

Reference

Beans

The beans defined in authn/krb5-authn-config.xml follow:

Bean ID
Type
Default
Function
shibboleth.authn.Krb5.RefreshConfig       BooleanFalseWhether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt
shibboleth.authn.Krb5.PreserveTicketBooleanFalseWhether to preserve the resulting Kerberos TGT in the Java Subject's private credential set
shibboleth.authn.Krb5.ServicePrincipal3.2String Name of a service principal to use to verify the KDC supplying the TGT, by requesting and verifying a service ticket issued for it
shibboleth.authn.Krb5.Keytab3.2Path Path to a keytab file containing keys belonging to the service principal defined above

Notes

TBD

  • No labels