[keycloak-user] LDAP with Kerberos, login with different user

Marek Posolda mposolda at redhat.com
Thu Jul 23 07:35:36 EDT 2015 

TBH I am not very confident about adding cookie during logout. Usually 
in production, I want to always login with Kerberos and don't deal with 
any login screen. Like when I go to https://mojo.redhat.com it always 
login with kerberos ticket and when I logout or login again (either same 
or next day) it works fine without need to deal with any cookie.

The only usecase, which come to my mind, why someone may want to skip 
login with his kerberos account, is the admin during 
testing/preproduction setup phase when he want to try login with 
different users etc. But now we have impersonation, so maybe this won't 
be needed at all? Awaiting feedback from Michael in other mail..

Marek


On 23.7.2015 09:51, Stian Thorgersen wrote:
> How about when a user logs out from Keycloak we add a session cookie to not use Kerberos again automatically? Even better if there's a concept of a session-id with Kerberos we can add the session-id to the cookie and automatically login if the users Kerberos session is changed, but otherwise display username/password form.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Michael Gerber" <gerbermichi at me.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 23 July, 2015 8:35:30 AM
>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>
>> Maybe we can have special request parameter, which will be send from
>> application to login screen. The parameter will contain list of
>> authentication mechanisms, which you want to skip for this login. Something
>> like "skipAuthType=cookie,kerberos" . The list of skipped alternative
>> mechanisms will be saved in ClientSession, so authentication SPI can deal
>> with it.
>>
>> Not sure if it makes sense to add support into adapter, but maybe something
>> basic (like we have for parameters "login_hint" or "kc_idp_hint" in
>> keycloak.js) can be added as well?
>>
>> Marek
>>
>> On 23.7.2015 08:26, Marek Posolda wrote:
>>
>>
>>
>> Do you want that for normal users or just for admin users? Just trying to
>> understand the usecase. Because AFAIK the point of kerberos is, that you
>> login into the desktop and then you're automatically logged into integrated
>> web applications without need to deal with any login screens and
>> username/password. When user has just one keycloak account corresponding to
>> his kerberos ticket, then why he need to login as different user?
>>
>> I can understand the usecase for admin, when you want to login as different
>> user for testing purpose etc. For this, isn't it possible in windows to do
>> something like "kdestroy" to be able to login without kerberos?
>>
>> Marek
>>
>> On 23.7.2015 07:44, Michael Gerber wrote:
>>
>>
>>
>> Isn't it possible to create a cookie or add an url parameter after the
>> logout, so the user is not logged in automatically?
>>
>> It's crucial for us to be able to log in as a different user, otherwise we
>> can not use kerberos at all :(
>>
>> Michael
>>
>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com> :
>>
>>
>>
>>
>> I don't think it's doable. Kerberos is kind of desktop login and logout from
>> the web application won't destroy the kerberos ticket - similarly like it
>> can't logout your laptop/desktop session. So when you visit the secured
>> application next time, you are automatically logged into Keycloak through
>> SPNEGO due to the Kerberos ticket.
>>
>> Hence you need to remove kerberos ticket manually (For example "kdestroy"
>> works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
>> then you will be able to see keycloak login screen and login as different
>> user.
>>
>> Marek
>>
>> On 22.7.2015 15:38, Michael Gerber wrote:
>>
>>
>>
>> Hi all,
>>
>> I use LDAP with Kerberos and would like to logout and login again with a
>> different user (no kerberos login, just keycloak username and password
>> dialog).
>> Is that possible?
>>
>> cheers
>> Michael
>>
>>
>> _______________________________________________
>> keycloak-user mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list