[keycloak-user] LDAP with Kerberos, login with different user

Stian Thorgersen stian at redhat.com
Fri Jul 24 03:55:37 EDT 2015 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Raghu Prabhala" <prabhalar at yahoo.com>, "Bill Burke" <bburke at redhat.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 9:49:45 AM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
> 
> Support for prompt=select_account will be cool. Another suggestion for
> adding query parameter for skip some mechanisms (like
> skipAuthMechanism=cookie,kerberos ) might be good too.

That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters.

> 
> Not sure if we need to support both, but IMO it will be good to have
> solution not tightly coupled to Kerberos. I can imagine similar
> situation with other login mechanisms as well. For example with
> authenticating users by certificate, admin may also want to skip
> automatic login with the certificate from his browser and instead login
> with username/password form.
> 
> Marek
> 
> On 23.7.2015 17:43, Raghu Prabhala wrote:
> > The select account prompt wouldn't work for us as some of our applications
> > require that the user login only by entering userid/pw but your other
> > suggestion might work as long as we do the Kerberos authentication using
> > Id/ow
> >
> > Sent from my iPhone
> >
> >> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke at redhat.com> wrote:
> >>
> >> All this interaction is defined by the SAML and OIDC specifications.
> >> Logout redirects you back to the application and its up to the
> >> application what to do next.  We could add a query param that if it is
> >> set, to not do kerberos.  This could be in addition to the "login
> >> automatically" flag.
> >>
> >>
> >>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
> >>> Why can't we have two separate authentication mechanisms - one IWA, in
> >>> which case the user is logged in automatically and on logout he is taken
> >>> to a login page where a diff userid can be entered and two, a login page
> >>> that allows userid/password? That would address our use case.
> >>>
> >>>
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
> >>>>
> >>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
> >>>> "login automatically" . If it's off, another confirmation screen for the
> >>>> user will be displayed?
> >>>>
> >>>> Marek
> >>>>
> >>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
> >>>>> "Is this you?"
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: keycloak-user at lists.jboss.org
> >>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
> >>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
> >>>>>> user
> >>>>>>
> >>>>>> With the new flows, we could detect a kerberos login then ask if they
> >>>>>> want to login as that user or another.
> >>>>>>
> >>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
> >>>>>>> Do you want that for normal users or just for admin users? Just
> >>>>>>> trying
> >>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
> >>>>>>> that
> >>>>>>> you login into the desktop and then you're automatically logged into
> >>>>>>> integrated web applications without need to deal with any login
> >>>>>>> screens
> >>>>>>> and username/password. When user has just one keycloak account
> >>>>>>> corresponding to his kerberos ticket, then why he need to login as
> >>>>>>> different user?
> >>>>>>>
> >>>>>>> I can understand the usecase for admin, when you want to login as
> >>>>>>> different user for testing purpose etc. For this, isn't it possible
> >>>>>>> in
> >>>>>>> windows to do something like "kdestroy" to be able to login without
> >>>>>>> kerberos?
> >>>>>>>
> >>>>>>> Marek
> >>>>>>>
> >>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
> >>>>>>>> Isn't it possible to create a cookie or add an url parameter after
> >>>>>>>> the
> >>>>>>>> logout, so the user is not logged in automatically?
> >>>>>>>>
> >>>>>>>> It's crucial for us to be able to log in as a different user,
> >>>>>>>> otherwise we can not use kerberos at all :(
> >>>>>>>>
> >>>>>>>> Michael
> >>>>>>>>
> >>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
> >>>>>>>>> <mposolda at redhat.com>:
> >>>>>>>>>
> >>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
> >>>>>>>>> logout from the web application won't destroy the kerberos ticket -
> >>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
> >>>>>>>>> you visit the secured application next time, you are automatically
> >>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
> >>>>>>>>>
> >>>>>>>>> Hence you need to remove kerberos ticket manually (For example
> >>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
> >>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
> >>>>>>>>> screen and login as different user.
> >>>>>>>>>
> >>>>>>>>> Marek
> >>>>>>>>>
> >>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
> >>>>>>>>>> Hi all,
> >>>>>>>>>>
> >>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
> >>>>>>>>>> with a different user (no kerberos login, just keycloak username
> >>>>>>>>>> and
> >>>>>>>>>> password dialog).
> >>>>>>>>>> Is that possible?
> >>>>>>>>>>
> >>>>>>>>>> cheers
> >>>>>>>>>> Michael
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> keycloak-user mailing list
> >>>>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> 
>

More information about the keycloak-user mailing list