[keycloak-dev] LDAP with Kerberos, login with different user

Marek Posolda mposolda at redhat.com
Mon Oct 9 06:55:14 EDT 2017


Another thing is, that we are planning to add the support for the "acr" 
OIDC parameter (aka authentication levels) and I believe that this 
usecase should be addressed through this.

For now, I would do something on your own as we still need to discuss 
how exactly to address this and when (My guess is Keycloak 4.x somewhen 
next year).

Marek


On 09/10/17 12:47, Marek Posolda wrote:
> As you can see in the older discussions in the PR in JIRA, we were 
> still discussing what exactly to do. Some approaches were:
>
> 1) Use the parameter like skip_auth_mechanisms
>
> 2) Use another confirmation screen (Account chooser authenticator or 
> something like that) - Something, which will be shown after successful 
> Kerberos authentication as user "jdoe" and will display "Do you really 
> want to authenticate as John Doe, click <link>here</link> . Do you 
> want to authenticate as the other user click <link>here</link>". In 
> the latter case, Kerberos authentication will be bypassed and 
> username/password screen shown
>
> 3) Automatically skip Kerberos after the logout. I personally didn't 
> like this approach. IMO if we do this, we will anyway need the config 
> option on the Kerberos authenticator.
>
> My personal preference is 1, then 2, then 3.
>
> For your usecase, I suspect that in most of the cases you want to 
> authenticate as Kerberos user, but just in some special cases (admin 
> needs to authenticate with some special account etc) bypass Kerberos. 
> Is it correct? So the query parameter is your preferred way right?
>
> Anyway, I wouldn't start contribute to Keycloak for now until it's 
> agreed what exactly to do. You can already handle it in your 
> environment with your own Authenticator implementation where you can 
> implement "skip_auth_mechanisms" or something like that.
>
> Marek
>
> On 05/10/17 10:15, Jože Mlakar wrote:
>> Also, before you comment, read 
>> https://github.com/keycloak/keycloak/pull/1644
>>
>> I believe there is no harm in skip_auth_mechanisms query parameter. I 
>> agree there are scenarios where other options are also good, but not 
>> globally.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>



More information about the keycloak-dev mailing list