[keycloak-user] LDAP with Kerberos, login with different user
Stian Thorgersen
stian at redhat.com
Thu Jul 23 10:36:02 EDT 2015
"Is this you?"
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 4:02:53 PM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>
> With the new flows, we could detect a kerberos login then ask if they
> want to login as that user or another.
>
> On 7/23/2015 2:26 AM, Marek Posolda wrote:
> > Do you want that for normal users or just for admin users? Just trying
> > to understand the usecase. Because AFAIK the point of kerberos is, that
> > you login into the desktop and then you're automatically logged into
> > integrated web applications without need to deal with any login screens
> > and username/password. When user has just one keycloak account
> > corresponding to his kerberos ticket, then why he need to login as
> > different user?
> >
> > I can understand the usecase for admin, when you want to login as
> > different user for testing purpose etc. For this, isn't it possible in
> > windows to do something like "kdestroy" to be able to login without
> > kerberos?
> >
> > Marek
> >
> > On 23.7.2015 07:44, Michael Gerber wrote:
> >> Isn't it possible to create a cookie or add an url parameter after the
> >> logout, so the user is not logged in automatically?
> >>
> >> It's crucial for us to be able to log in as a different user,
> >> otherwise we can not use kerberos at all :(
> >>
> >> Michael
> >>
> >> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
> >>
> >>> I don't think it's doable. Kerberos is kind of desktop login and
> >>> logout from the web application won't destroy the kerberos ticket -
> >>> similarly like it can't logout your laptop/desktop session. So when
> >>> you visit the secured application next time, you are automatically
> >>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
> >>>
> >>> Hence you need to remove kerberos ticket manually (For example
> >>> "kdestroy" works on Linux, but I guess you're using Windows +
> >>> ActiveDirectory? ) and then you will be able to see keycloak login
> >>> screen and login as different user.
> >>>
> >>> Marek
> >>>
> >>> On 22.7.2015 15:38, Michael Gerber wrote:
> >>>> Hi all,
> >>>>
> >>>> I use LDAP with Kerberos and would like to logout and login again
> >>>> with a different user (no kerberos login, just keycloak username and
> >>>> password dialog).
> >>>> Is that possible?
> >>>>
> >>>> cheers
> >>>> Michael
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list