[keycloak-user] disable kerberos SSO when needed

Thu Aug 18 16:31:28 EDT 2016

Hello Bill

it worked, but slightly different from you suggestion - thanks for the
help! For some reason when I put my authenticator inside a flow it was not
working as alternative, but outside of it worked. So my flow had to be
changed as below:

* Cookie Authenticator

* create an ALTERNATIVE sub flow

   * REQUIRED Add Execution (outisde of flow) as ALTERNATIVE Account
Chooser Custom authenticator page - success call AuthFlowContext.success()
otherwise AuthFLowContext.attempted().

* create ALTERNATIVE sub flow (Forms)
   * REQUIRED built in username/password authenticator

Cheers

filipe

On Thu, Aug 18, 2016 at 4:10 PM Bill Burke <bburke at redhat.com> wrote:

> Filipe, wouldn't you just have your Client Cert Authenticator be
> alternative and just use the "Forms" sub-flow structure that exists in the
> built in "Browser" flow?
>
> On 8/18/16 2:33 PM, Filipe Lautert wrote:
>
> Hello
>
> I've a similar case to this one, but instead of using an account page I
> use the ssl client certificate passed by Apache. I set up everything as the
> example you provided, but even if in my "Account Chooser Custom
> authenticator" I call AuthFlowContext.success() it is still showing me
> the username/password form from the next alternative flow.
>
> I worked around it creating a class called AlternativeUsernamePasswordFormFactory
> that extends UsernamePasswordFormFactory, and the only change that I did to
> it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to
> the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative
> in Keycloak, it does what I want.
>
> So my questions are: am I missing something to mark my Authenticator as
> sufficient to end the flow and return to the client? if not, is there a
> reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE
> option, and can it be added to this class?
>
> I'm posting this again os this thread as Ray may face the same issue
> soon...
>
> Cheers
>
> filipe
>
> On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <bburke at redhat.com> wrote:
>
>> You would need to create a custom authenticator that is like an account
>> chooser page, i.e. two buttons one says "login to kerberos" the other says
>> "login to ldap".
>>
>> A custom flow would look like this:
>>
>> * Cookie Authenticator
>> * create an ALTERNATIVE sub flow
>>
>>    * REQUIRED Account Chooser Custom authenticator page - if the kerberos
>> button is clicked, call AuthFlowContext.success() otherwise
>> AuthFLowContext.attempted().  Attempted will abort this alternative flow
>>    * REQUIRED Built in Kerberos Authenticator
>>
>> * create another ALTERNATIVE sub flow
>>    * REQUIRED built in username/password authenticator
>>
>>
>> On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
>>
>> Hello
>>
>>
>>
>> Right now our keycloak server was setup to do kerberos authentication
>> with ldap as backup, so in this case, the user will get them in
>> automatically
>>
>> from the company domain when they hitting the URL, we have application
>> role definitions in the keycloak, if the user does not have the role
>> configured
>>
>> then we want to logout them back to the default key cloack login page and
>> let them try their LDAP user account.
>>
>>
>>
>> But because kerberos authentication is always on the top, so right after
>> we logout the user, the kerberos will let them in automatically
>>
>>
>>
>> right now we are using keycloak.logout from keycloak.js to logout user
>>
>>
>>
>> I am wondering what is the good practice to achieve this?
>>
>>
>>
>> Any suggestions are welcome
>>
>>
>>
>> thanks
>>
>> raymond
>> ------------------------------
>> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
>> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
>> If you wish to unsubscribe from future updates from Moneris, please click
>> here
>> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>> Please see the Moneris Privacy Policy here
>> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>>
>>
>> This e-mail may be privileged and/or confidential, and the sender does
>> not waive any related rights and obligations. Any distribution, use or
>> copying of this e-mail or the information it contains by other than an
>> intended recipient is unauthorized. If you received this e-mail in error,
>> please advise me (by return e-mail or otherwise) immediately.
>> ------------------------------
>> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario
>> | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
>> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
>> veuillez cliquer ici
>> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>> Veuillez consulter la Politique de confidentialité de Moneris ici
>> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>>
>>
>> Ce courriel peut contenir des renseignements confidentiels ou
>> privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune
>> obligation connexe. La distribution, l’utilisation ou la reproduction du
>> présent courriel ou des renseignements qu’il contient par une personne
>> autre que son destinataire prévu sont interdites. Si vous avez reçu ce
>> courriel par erreur, veuillez m’en aviser immédiatement (par retour de
>> courriel ou autrement).
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> filipe lautert
>
>
> --
filipe lautert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/65750774/attachment.html 