1

For a school project we must bind Wildfly with Kerberos and OpenAM over the SAML connection together. I was searching on the internet and had read that kerberos and openAM are commonly used together.

I don't understand why.

kerberos and openAM are two protocols for single sign on. So U can use Kerberos or OpenAM.

jurh
  • 420
  • 1
  • 4
  • 17
  • 1
    Kerberos is a network authentication protocol designed before the Internet became popular, so it's really only used in internal networks. Kerberos functions at a lower level than OpenAM, developed later. OpenAM at the higher level chains different protocols together for even stronger structures of authentication. It doesn't replace Kerberos though. At some point in the architectural decision, one must decide what lower-level protocols OpenAM will use to authenticate users or services. OpenAM can also federate distinct entities (think different companies) over the web. Makes sense? – T-Heron Dec 04 '16 at 16:26
  • I got it! Thanks. – jurh Dec 04 '16 at 20:23
  • Hi Jur, I will put my previous response into "Answer" form, please don't forget to come back in and press the 'accept' button on it so that it will help others when they're searching for the same question... – T-Heron Dec 04 '16 at 20:38

2 Answers2

2

Kerberos is a network authentication protocol designed before the Internet became popular, so it's really only used in internal networks. Kerberos functions at a lower level than OpenAM, developed later. OpenAM at the higher level chains different protocols together for even stronger structures of authentication. It doesn't replace Kerberos though. At some point in the architectural decision, one must decide what lower-level protocols OpenAM will use to authenticate users or services. OpenAM can also federate distinct entities (think different companies) over the web.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
1

Kerberos is a protocol. OpenAM is a product.

Under the hood OpenAM can use Kerberos, SAML 2.0, OpenID Connect, WS-Federation etc.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks! But why should u use Kerberos and SAML together? With Kerberos you can send the authentication data in tickets top OpenAM and in SAML u can also send authentication data in a different package to OpenAM. – jurh Dec 04 '16 at 20:21
  • Kerberos tickets are not a standard wrt. federation. So if you federated OpenAM and ADFS e.g. you need a SAML token (which is a standard) to flow through the various providers. – rbrayb Dec 04 '16 at 20:53
  • So if I i'm right, the client (webbrowser) sends a username and password to the application server (Wildfly) with a kerberos agent and the Kerberos agent sends the authentication packet over SAML to openAM and openAM checks if the credentials are right in de database and sends a kerberos ticket back over SAML to Wildfly? – jurh Dec 04 '16 at 21:33
  • Corrected: The client (webbrowser) requests resources via Wildfly. Wildfly redirect to OpenAM, The browser requests a SAML token in order to receive a token authentication needs to take place. Kerberos will handle the authentication between the browser en OpenAM. OpenAM checks in the database if the user credentials are correct, if that's the case, OpenAM sends the SAML token back to the browser. Then the browser requests the resource with the SAML token and wildfly will give the requested resources. – jurh Dec 04 '16 at 21:44
  • My 2 Cents: Kerberos in OpenAM is only leveraged for 'auto-login' not for Single Sing On – Bernhard Thalmayr Dec 06 '16 at 08:34