Require WS-Security Kerberos Token Profile Credentials Assertion
Require WS-Security Kerberos Token Profile Credentialsassertion requires that the request message contains a valid WSS1.1 Kerberos Token (specifically, a GSS wrapped Kerberos v5 AP-REQ, as defined in the GSSAPI specification).
This assertion places the realm of the client in the
kerberos.realmcontext variable. This enables policy decisions based on this aspect of the client credential and is useful in situations where the client can be from multiple domains/realms. For example:
For more information on the Kerberos specification, see http://docs.oasis-open.org/wss/v1.1/. From there, you can download the
wss-v1.1-spec-pr-KerberosTokenProfile-01document in either HTML or PDF format.
(1) When authenticating users with Kerberos, the realm must be validated before authentication is performed. Ensure that the
kerberos.realmcontext variable is an expected value for the identity provider. (2) The Gateway must be correctly configured to use the Require WS-Security Kerberos Token Profile Credentials assertion.
Using the Assertion
- Add the assertion to the policy development window. For more information, see Add an Assertion. The assertion is added to the policy window; no further configuration is required.
- Move the assertion to the place in the policy list where Kerberos authentication should occur.
- Optionally use the Authenticate User or Group assertion to provide access to the LDAP Identity Provider.Note:If you do this, be sure the Active Directory server has been configured as an LDAP provider.