Kerberos Delegated Authentication
Kerberos delegation allows Integration Server to reuse the client credentials to invoke another service which is hosted either on the same or different server. In this case, a principal (delegated user) can invoke a service on behalf of another principal (original requester).
Kerberos delegated authentication comprises the following phases:
1. Authentication phase. Client authenticates itself to the authentication service and requests a forwardable TGT (delegable token).
2. Service authorization phase.
a. Using the forwardable TGT the client requests for a service ticket for an intermediary.
b. The intermediary uses the forwardable TGT to request a service ticket for a service on behalf of the original requester.
Note:
Ticket is forwardable to any number of intermediaries. Irrespective of the number of intermediaries, the service request is invoked on behalf of the original requester.
3. Service invocation phase. The intermediary sends the request to invoke the target service, including the service ticket obtained in the service authorization phase (step 2.b).
Example Use Case
Following is an example use case that describes the steps involved in Kerberos delegated authentication.
In this use case, consider the following:
External client, intermediary (
Integration Server), and the destination server (.Net Server) share the same KDC.
Alice is a user account which the external client uses to access the service S1 in the intermediary (
Integration Server).
Bob is a user account that the intermediary uses to invoke the endpoint service S2 hosted on the .Net server.
Alice invokes S1.
Settings:
In S1, the input parameter
delegation is set to
kerberos in http outbound call (
pub.client:http).
Steps:
1. External client contacts KDC and requests for a forwardable TGT and a service ticket (ST1) for Alice.
2. External client invokes S1 using the forwardable TGT and ST1.
3. Integration Server receives the token and then validates and extracts the forwardable TGT. Integration Server logs in as Bob and using the forwardable TGT of Alice requests a service ticket (ST2) for S2.
4. Integration Server invokes the target service S2 using ST2.
5. .Net Server contacts KDC and validates ST2. The service then gets invoked.
6. Integration Server receives the response for S2.
7. Integration Server forwards the response (success or error) to the external client.