Configuring Kerberos constrained delegation for out-bound SPNEGO tokens in Liberty
You can configure a Liberty server to support Kerberos constrained delegation for out-bound SPNEGO tokens.
Before you begin
Make sure that you have configured SPNEGO web authentication.
IBM® SDK 1.8 and later is supported. The Oracle JDK and OpenJDK are supported at the same levels that they are supported for Liberty.
About this task
- S4U2self
-
Allows a Liberty server to obtain a service ticket to itself on behalf of a user. This can be used with any form of authentication that is supported by Liberty.
S4U2self
is the Kerberos Protocol Transition extension. - S4U2proxy
-
Allows a Liberty server to obtain service tickets to trusted services on behalf of a user. These service tickets are obtained by using the user's service ticket to the Liberty service. The services are constrained by the Kerberos Key Distribution Center (KDC) administrator.
S4U2proxy
is the Kerberos Constrained Delegation extension.
- S4U2self API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()
- S4U2proxy API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization()
The following steps use the same example system setup that is used in Configuring SPNEGO authentication in Liberty and illustrated in Single sign-on for HTTP requests using SPNEGO web authentication.