SSO authentication combining Kerberos, ADFS and Spring Security

Question

I'm currently analysis several alternatives to implement an authentication mechanism which will not demand the credentials from the user. Why not? Because we are talking about a web application to be used only within an internal network which (should) resides within a Kerberos realm.

I've spent some time to try to figure out which is the approach, but it seems the confusion is just growing in my mind. What i'm asking is which strategy should i use to connect these components, or if there are any which are not necessary:

1. Kerberos: this is the (supposed) authentication mechanism which the users get authenticated upon loging-in with they Windows profiles. I am bot much sure of if it does provide an explicit list of claims for the principal to be retrieved.
2. ADFS: In my perspective, the Federation Services can be just an extension to Kerberos, by wrapping its ticket into the more standard SAML protocol. In my view, this can come into help once exposing the web application to an external network. Thus, am i correct in saying that i don't need it to integrate the app into the SSO mechanism? Or it will still be required as a means of integration.
3. Oracle WebLogic: This is the chosen application server that will host the web application. It seems there are ways to configure WLS to be part of a Kerberos realm. The main point of integration is the keytab. Here i've found an old example, but it seems more or less the same needs to be done in WLS 12c as well: http://www.ateam-oracle.com/kerberos-and-weblogic-server-on-windows-step-by-step/
4. SPNEGO: This seems to be a standard protocol to be used in configuring an architecture were the HTTP protocol is used to access the service provider (the web app). To me, its just an extension of Kerberos which is necessary in my use-case, as the service is indeed accessed via HTTP (Angular SPA + SpringBoot communicating via REST).
5. SpringSecurity-Kerberos extension: SpringSecurity offers many extensions, one of them being the module to support Kerberos and SPNEGO. There are two questions boiling in my mind right now:
   • I see this to be an alternative in case the integration is not handled in the application server (Oracle WLS). If so, which would be the better approach?
   • In its docs Spring provides an example of a setup of the security adapter using this extension (main integration point: still the keytab). But what about the retrieval of the user details? Does it still require a service to connect to the Active Directory storing them separately?

I'm very much confused on the alternatives and all the components which can work together. I've also haven't found o concise flow diagram of the process for such a use-case, only those of them working separately. So, which one approach can be designed presuming we have all of the above components?

NOTE: Also, right now the Angular layer gets authenticated via a dummy service on the SpringBoot back-end view JWT. I would like to keep the JWT in between if possible, but if the Kerberos ticket can be retrieved and parsed with ease to get the claims, it will become obsolete.

Answer 1

使用我的Tomcat SPNEGO AD扩展，其中包含一个Spring Sec垫片。