1

I have a server ("server.example.com") that negotiates with an IdP ("sso.idp.com") on my behalf to obtain a SAML assertion. When using curl with negotiate, the domain name in the service principal is "server.example.com" by default, e.g. HTTP/server.example.com@MYREALM.COM.

I'm wondering if it's possible to override the domain name used in the service principal. Basically, something similar to the Python package requests-kerberos' hostname override, or Node package kerberos' "service" param in initalizeClient. I can't seem to find an equivalent option for curl, and was wondering if there is one? I've found the service name option which appears to set the service type (e.g. HTTP), but nothing that sets the domain name.

Basically:

curl -v --negotiate -u : server.example.com

creates a service principal of HTTP/server.example.com@MYREALM.COM. But, I'm looking for something like:

curl -v --negotiate -u : server.example.com --service HTTP/sso.idp.com

that would create a service principal of HTTP/sso.idp.com@MYREALM.COM. I just want to override the domain name in the service principal so I can generate an Authorization header to negotiate with "sso.idp.com".

nbrowz
  • 41
  • 5
  • Looks like you want to use a VIP or a Load Balancer...? Define a DNS alias on a dedicated IP, with reverse lookup, and use the alias in the URL. That's what is done in the Hadoop ecosystem. Works transparently with any client. – Samson Scharfrichter Jul 11 '19 at 08:17

1 Answers1

0

That's a very strange way to implement Kerberos delegation.

Curl lets you achieve this in the opposite way: use --connect-to to override the actual server address.

curl -u: --negotiate --connect-to "sso.idp.com:443:server.example.com:443" https://sso.idp.com
user1686
  • 13,155
  • 2
  • 35
  • 54