[keycloak-user] LDAP with Kerberos, login with different user

Raghu Prabhala prabhalar at yahoo.com
Thu Jul 23 11:14:25 EDT 2015 

Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.



Sent from my iPhone

> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Maybe it can be configurable for the kerberos mechanism? Just the flag 
> "login automatically" . If it's off, another confirmation screen for the 
> user will be displayed?
> 
> Marek
> 
>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>> "Is this you?"
>> 
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>> 
>>> With the new flows, we could detect a kerberos login then ask if they
>>> want to login as that user or another.
>>> 
>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>> Do you want that for normal users or just for admin users? Just trying
>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>> you login into the desktop and then you're automatically logged into
>>>> integrated web applications without need to deal with any login screens
>>>> and username/password. When user has just one keycloak account
>>>> corresponding to his kerberos ticket, then why he need to login as
>>>> different user?
>>>> 
>>>> I can understand the usecase for admin, when you want to login as
>>>> different user for testing purpose etc. For this, isn't it possible in
>>>> windows to do something like "kdestroy" to be able to login without
>>>> kerberos?
>>>> 
>>>> Marek
>>>> 
>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>> logout, so the user is not logged in automatically?
>>>>> 
>>>>> It's crucial for us to be able to log in as a different user,
>>>>> otherwise we can not use kerberos at all :(
>>>>> 
>>>>> Michael
>>>>> 
>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>> 
>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>> you visit the secured application next time, you are automatically
>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>> 
>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>> screen and login as different user.
>>>>>> 
>>>>>> Marek
>>>>>> 
>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>> password dialog).
>>>>>>> Is that possible?
>>>>>>> 
>>>>>>> cheers
>>>>>>> Michael
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list