Univention Bugzilla – Bug 56474
Make subnet filtering configurable for Kerberos-Auth in Keycloak
Last modified: 2024-02-22 17:18:00 CET
+++ This bug was initially created as a clone of Bug #49485 +++ When Kerberos authentication is configured in Keycloak, it will fall back to password authentication if no kerberos ticket is presented by the browser. When being on an unjoined Windows client on chrome or edge, a popup asking for credentials will be shown. When clicking cancel, the fallback login page for single sign-can be accessed. This can be annoying to customers. In simplesamlphp this was configurable by the UCR variable/the simpleSAMLphp setting `saml/idp/negotiate/filter-subnets` Keycloak doesn't have such a setting to remove certain IPs from the Kerberos authentication. But it can be archieved using an apache2 configuration in univention-keycloak.conf that removes the www-authenticate header from the request if it comes from a certain IP. In a project, the following was configured in the /var/lib/univention-appcenter/apps/keycloak/data/local-univention-keycloak.conf <If “%{REMOTE_ADDR} -ipmatch ‘10.200.21.0/24’”> Header unset WWW-Authenticate If this should be part of the product, we should make this configurable via a setting
An other customer needs that 2024020621000268
Another customer that needs to disable kerberos authentication or apply the workaround: 2024021521000134