[keycloak-user] LDAP with Kerberos, login with different user
Marek Posolda
mposolda at redhat.com
Thu Jul 23 10:50:28 EDT 2015
Maybe it can be configurable for the kerberos mechanism? Just the flag
"login automatically" . If it's off, another confirmation screen for the
user will be displayed?
Marek
On 23.7.2015 16:36, Stian Thorgersen wrote:
> "Is this you?"
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>
>> With the new flows, we could detect a kerberos login then ask if they
>> want to login as that user or another.
>>
>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>> Do you want that for normal users or just for admin users? Just trying
>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>> you login into the desktop and then you're automatically logged into
>>> integrated web applications without need to deal with any login screens
>>> and username/password. When user has just one keycloak account
>>> corresponding to his kerberos ticket, then why he need to login as
>>> different user?
>>>
>>> I can understand the usecase for admin, when you want to login as
>>> different user for testing purpose etc. For this, isn't it possible in
>>> windows to do something like "kdestroy" to be able to login without
>>> kerberos?
>>>
>>> Marek
>>>
>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>> logout, so the user is not logged in automatically?
>>>>
>>>> It's crucial for us to be able to log in as a different user,
>>>> otherwise we can not use kerberos at all :(
>>>>
>>>> Michael
>>>>
>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>
>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>> you visit the secured application next time, you are automatically
>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>
>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>> screen and login as different user.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>> password dialog).
>>>>>> Is that possible?
>>>>>>
>>>>>> cheers
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list