[keycloak-user] LDAP with Kerberos, login with different user

Marek Posolda mposolda at redhat.com
Thu Jul 23 02:26:05 EDT 2015 

Do you want that for normal users or just for admin users? Just trying 
to understand the usecase. Because AFAIK the point of kerberos is, that 
you login into the desktop and then you're automatically logged into 
integrated web applications without need to deal with any login screens 
and username/password. When user has just one keycloak account 
corresponding to his kerberos ticket, then why he need to login as 
different user?

I can understand the usecase for admin, when you want to login as 
different user for testing purpose etc. For this, isn't it possible in 
windows to do something like "kdestroy" to be able to login without 
kerberos?

Marek

On 23.7.2015 07:44, Michael Gerber wrote:
> Isn't it possible to create a cookie or add an url parameter after the 
> logout, so the user is not logged in automatically?
>
> It's crucial for us to be able to log in as a different user, 
> otherwise we can not use kerberos at all :(
>
> Michael
>
> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>
>> I don't think it's doable. Kerberos is kind of desktop login and 
>> logout from the web application won't destroy the kerberos ticket - 
>> similarly like it can't logout your laptop/desktop session. So when 
>> you visit the secured application next time, you are automatically 
>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>
>> Hence you need to remove kerberos ticket manually (For example 
>> "kdestroy" works on Linux, but I guess you're using Windows + 
>> ActiveDirectory? ) and then you will be able to see keycloak login 
>> screen and login as different user.
>>
>> Marek
>>
>> On 22.7.2015 15:38, Michael Gerber wrote:
>>> Hi all,
>>>
>>> I use LDAP with Kerberos and would like to logout and login again 
>>> with a different user (no kerberos login, just keycloak username and 
>>> password dialog).
>>> Is that possible?
>>>
>>> cheers
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/90a230b9/attachment.html

More information about the keycloak-user mailing list