Hi,
I was indeed thinking on using OAuth for the application (SAS Viya).
Standard platform: ADFS. Adding Keycloak is do-able, but currently not in scope.
We are a small (sub)team and how much is manage-able? ;)
The applicaton - SAS Viya - always needs LDAP as identity store - in combination with
Kerberos (& IWA), OAuth, SAML, plain LDAP or PAM.
I find the implementation of their LDAP client a bit lacking (only 1 LDAP host, no referral setting, no starttls....)
One of the business requirements is "seamless" authentication and I was hoping we could use SPNEGO.
Our Hadoop (and related servers such as SAS Viya) are all placed in a separate IPA domain, and we have a trust with AD.
So this works for a firefox browser configured to use MIT Kerberos against IPA and the pure IPA users.
But me idealistic scenario of using end-users from AD on that SAS Viya platform is currently leading to nowhere.
Do you think it would be possible using ADFS Oauth? And AD LDAP as identity lookup store (if the problems are fixed) with all servers in the IPA domain?
If not, what about Keycloak integrated with IPA -->we still would have the problem with AD user lookup then.
Would be easier if the product uses SSSD/PAM as identity store as well somehow...
Sincerely Pieter