I've had some time to mess with openfire and java 8. It looks like it indeed breaks sso . I believe this is because openfire uses DES . DES is disabled by default in java 8. It can be enabled by adding allow_weak_crypto=true in the krb5.ini/krb5.conf. However, even after adding this, I'm still unable to get SSO back up and running. reverting back to java 7 on the server, and everything works like a champ.
I'll do some more testing to see if I can come up with a work around, but DES now being considered somewhat insecure, and Java 7 coming up on EOL, it might be a good time to see if a dev can look into this
speedy reports that latest Java 7 update (7u80) also breaks SSO: https://community.igniterealtime.org/thread/55310
Java 7u80+, Java 8
It has been reported that GSSAPI part of part makes SSO work with Openfire + Java 8.