[keycloak-dev] LDAP with Kerberos, login with different user
Marek Posolda
mposolda at redhat.com
Mon Oct 9 06:55:14 EDT 2017
Another thing is, that we are planning to add the support for the "acr"
OIDC parameter (aka authentication levels) and I believe that this
usecase should be addressed through this.
For now, I would do something on your own as we still need to discuss
how exactly to address this and when (My guess is Keycloak 4.x somewhen
next year).
Marek
On 09/10/17 12:47, Marek Posolda wrote:
> As you can see in the older discussions in the PR in JIRA, we were
> still discussing what exactly to do. Some approaches were:
>
> 1) Use the parameter like skip_auth_mechanisms
>
> 2) Use another confirmation screen (Account chooser authenticator or
> something like that) - Something, which will be shown after successful
> Kerberos authentication as user "jdoe" and will display "Do you really
> want to authenticate as John Doe, click <link>here</link> . Do you
> want to authenticate as the other user click <link>here</link>". In
> the latter case, Kerberos authentication will be bypassed and
> username/password screen shown
>
> 3) Automatically skip Kerberos after the logout. I personally didn't
> like this approach. IMO if we do this, we will anyway need the config
> option on the Kerberos authenticator.
>
> My personal preference is 1, then 2, then 3.
>
> For your usecase, I suspect that in most of the cases you want to
> authenticate as Kerberos user, but just in some special cases (admin
> needs to authenticate with some special account etc) bypass Kerberos.
> Is it correct? So the query parameter is your preferred way right?
>
> Anyway, I wouldn't start contribute to Keycloak for now until it's
> agreed what exactly to do. You can already handle it in your
> environment with your own Authenticator implementation where you can
> implement "skip_auth_mechanisms" or something like that.
>
> Marek
>
> On 05/10/17 10:15, Jože Mlakar wrote:
>> Also, before you comment, read
>> https://github.com/keycloak/keycloak/pull/1644
>>
>> I believe there is no harm in skip_auth_mechanisms query parameter. I
>> agree there are scenarios where other options are also good, but not
>> globally.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list