Identity Gateway 2024.3

KerberosIdentityAssertionPlugin

Use with an IdentityAssertionHandler to validate Kerberos authentication tickets locally.

The KerberosIdentityAssertionPlugin doesn’t support Windows New Technology LAN Manager (NTLM) tokens.

Usage

{
    "name": string,
    "type": "KerberosIdentityAssertionPlugin",
    "config": {
      "serviceLogin": ServiceLogin reference,
      "trustedRealms": [configuration_expression<string>, ...]
    }
}

Properties

"serviceLogin": ServiceLogin reference, required

A service account object to log IG in to the Kerberos server so that IG can act on user tokens. IG will be able to validate user tokens, for example.

IG provides the following service account objects for the KerberosIdentityAssertionPlugin:

UsernamePasswordServiceLogin

Log IG in to the Kerberos server by using a service account username and password.

{
  "type": "UsernamePasswordServiceLogin",
  "config": {
    "username": configuration_expression<string>,
    "passwordSecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference
  }
}
"username": configuration expression<string>, required

Service username.

"passwordSecretId": configuration expression<secret-id>, required if the proxy requires authentication

The secret ID of the service account password.

"secretsProvider": SecretsProvider reference, required

The SecretsProvider to query for the password.

KeytabServiceLogin

Log IG in to the Kerberos server by using a Keytab file.

This service account object is less secure than UsernamePasswordServiceLogin; use it only for testing or to ease migration. In production environments, always use the most secure options available.
{
  "type": "KeytabServiceLogin",
  "config": {
    "username": configuration_expression<string>,
    "keytabFile": configuration expression<secret-id>,
    "executor": ScheduledExecutorService reference
  }
}
"username": configuration expression<string>, required

Service username.

"keytabFile": configuration expression<string>, required

Path to the keytab file. Both the username and keytabFile are required for login.

"executor": ScheduledExecutorService reference, optional

An executor service to schedule the execution of tasks during a keytab service login.

Default: ScheduledExecutorService or an executor service declared in the heap.

"trustedRealms": array of configuration expression<strings>, optional

A list of one or more Kerberos realms that are expected to match the principal’s realm from the user’s Kerberos ticket.

Kerberos tickets are accepted only if the principal’s realm matches a realm in the list.

Default: Empty

Examples

{
  "type": "KerberosIdentityAssertionPlugin",
  "config": {
    "serviceLogin": "UsernamePasswordServiceLogin",
    "trustedRealms": ["EXAMPLE.COM"]
  }
}
{
  "type": "UsernamePasswordServiceLogin",
  "config": {
    "username": "igsa",
    "passwordSecretId": "igsa.id",
    "secretsProvider": "mySecretsProvider"
  }
}

When using a Kerberos keytab file, generate it for IG with the Windows ktpass command. The following commands add and view a Service Principal Name (SPN) for the IG service account, igsa, and generate a keytab file for IG in the example.com realm mapped to the service account username. Run the commands as the Windows Administrator to ensure you have access to everything necessary:

# Add the SPN for the service account:
PS C:\path\to> setspn -s HTTP/ig.example.com igsa

# View the SPN for the service account:
PS C:\path\to> setspn -l igsa
Registered ServicePrincipalNames for CN=igsa,CN=Users,DC=example,DC=com:
        HTTP/ig.example.com

# Generate the keytab file:
PS C:\path\to> ktpass -out keytab.file -princ HTTP/ig.example.com@EXAMPLE.COM -pass `
+rndPass -maxPass 256 -mapuser igsa -crypto All -ptype KRB5_NT_PRINCIPAL -kvno 0

In the IG configuration, you can use the Kerberos principal as the username:

{
  "type": "KeytabServiceLogin",
  "config": {
    "username": "HTTP/ig.example.com@EXAMPLE.COM",
    "keytabFile": "/path/to/keytab.file"
  }
}