1) Kerberos client authentication in the IdP
Recall that the Apache Fediz IdP in 1.2.0 supports different client authentication methods by default using different URL paths. In particular for Kerberos, the URL path is:
- /federation/krb -> authentication using Kerberos
2) Authenticating Kerberos tokens in the IdP
The IdP supports two different ways of validating Kerberos tokens:
- Passthrough Authentication. Here we do not authenticate the Kerberos token at all in the IdP, but pass it through to the STS for authentication. This is similar to what is done for the Username/Password authentication case. The default security binding of the STS for this scenario requires a KerberosToken Supporting Token. This is the default way of authenticating Kerberos tokens in the IdP.
- Delegation. If delegation is enabled in the IdP, then the received token is validated locally in the IdP. The delegated credential is then used to get a new Kerberos Token to authenticate the STS call "on behalf of" the original user.
set the "requireDelegation" property to "true", and configure the kerberosTokenValidator property to validate the received Kerberos token: