[keycloak-user] LDAP with Kerberos, login with different user
Raghu Prabhala
prabhalar at yahoo.com
Thu Jul 23 11:14:25 EDT 2015
Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.
Sent from my iPhone
> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
> Maybe it can be configurable for the kerberos mechanism? Just the flag
> "login automatically" . If it's off, another confirmation screen for the
> user will be displayed?
>
> Marek
>
>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>> "Is this you?"
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>>
>>> With the new flows, we could detect a kerberos login then ask if they
>>> want to login as that user or another.
>>>
>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>> Do you want that for normal users or just for admin users? Just trying
>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>> you login into the desktop and then you're automatically logged into
>>>> integrated web applications without need to deal with any login screens
>>>> and username/password. When user has just one keycloak account
>>>> corresponding to his kerberos ticket, then why he need to login as
>>>> different user?
>>>>
>>>> I can understand the usecase for admin, when you want to login as
>>>> different user for testing purpose etc. For this, isn't it possible in
>>>> windows to do something like "kdestroy" to be able to login without
>>>> kerberos?
>>>>
>>>> Marek
>>>>
>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>> logout, so the user is not logged in automatically?
>>>>>
>>>>> It's crucial for us to be able to log in as a different user,
>>>>> otherwise we can not use kerberos at all :(
>>>>>
>>>>> Michael
>>>>>
>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>>
>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>> you visit the secured application next time, you are automatically
>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>
>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>> screen and login as different user.
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>> password dialog).
>>>>>>> Is that possible?
>>>>>>>
>>>>>>> cheers
>>>>>>> Michael
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list