[keycloak-dev] LDAP with Kerberos, login with different user

[Marek Posolda]

As you can see in the older discussions in the PR in JIRA, we were still 
discussing what exactly to do. Some approaches were:

1) Use the parameter like skip_auth_mechanisms

2) Use another confirmation screen (Account chooser authenticator or 
something like that) - Something, which will be shown after successful 
Kerberos authentication as user "jdoe" and will display "Do you really 
want to authenticate as John Doe, click <link>here</link> . Do you want 
to authenticate as the other user click <link>here</link>". In the 
latter case, Kerberos authentication will be bypassed and 
username/password screen shown

3) Automatically skip Kerberos after the logout. I personally didn't 
like this approach. IMO if we do this, we will anyway need the config 
option on the Kerberos authenticator.

My personal preference is 1, then 2, then 3.

For your usecase, I suspect that in most of the cases you want to 
authenticate as Kerberos user, but just in some special cases (admin 
needs to authenticate with some special account etc) bypass Kerberos. Is 
it correct? So the query parameter is your preferred way right?

Anyway, I wouldn't start contribute to Keycloak for now until it's 
agreed what exactly to do. You can already handle it in your environment 
with your own Authenticator implementation where you can implement 
"skip_auth_mechanisms" or something like that.

Marek

On 05/10/17 10:15, Jože Mlakar wrote:
> Also, before you comment, read https://github.com/keycloak/keycloak/pull/1644
>
> I believe there is no harm in skip_auth_mechanisms query parameter. I agree there are scenarios where other options are also good, but not globally.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev