RapidIdentity Product Guide: New UI

Kerberos

If the API is being invoked from a browser, the first step in the process should be attempting Kerberos SSO. The following request should be issued:

GET /idp/ws/rest/authn/krb HTTP/1.1
Accept: application/json

If Kerberos authentication is successful, the server will return a status of 200 and the JSON data for the next authentication step to perform will be included in the response.  In the event that Kerberos is the only authentication method required for the user, the next step will of type compete which indicates that no further authentication steps are required.

If Kerberos authentication is successful it means that the username of the user is known and a username prompt is not required to initiate the RapidFederation authentication process.

If any other status besides 200 is returned, then it means that Kerberos authentication failed and the authentication process should proceed with the Initialization step.

Manual Authentication

An internal engineering ticket was opened to address an issue with automatic Kerberos processing and, as such, we've had to slightly adjust how Kerberos works. Specifically, there is a new option in the Kerberos Configuration which allows an admin to toggle "Automatic Kerberos Processing". From the server's point of view if automatic processing is turned off, this means that all Kerberos requests made at the very beginning of the process will automatically fail, however the response from the normal init call at /idp/ws/rest/authn/ will have a new allowKerberos flag set to true. This indicates to the client that manual Kerberos authentication is enabled and the user should be given the option to do so if they wish. A manual Kerberos request is exactly the same as the automatic one except that a request parameter requested must be present with the value true.

GET /idp/ws/rest/authn/krb?requested=true HTTP/1.1
Accept: application/json

Everything else about the response will be the same as with automatic processing.

As an Authentication Method

If the Kerberos authentication method is enabled for a given policy, it means that Kerberos authentication is required to have completed successfully or authentication will automatically fail.

As an Authentication Policy Criteria

If Kerberos criteria is enabled for a given policy, it means that only users who have successfully completed Kerberos authentication will be eligible for that policy.

Example Javascript

This example demonstrates how to attempt Kerberos authentication against RapidFederation using JQuery

< script > 

  $.ajax({
        type: 'GET',
        url: '/idp/ws/rest/authn/krb',
        cache: false,
        async: true,
        xhrFields: {
            withCredentials: true
        }
    }).done(function(data) { //data should contain a JSON object }).fail(function() { 
    //kerberos failed, go ahead and call /idp/ws/rest/authn to get the first step 
    }); 
</script>