[keycloak-user] Option to disable SPNEGO

Marek Posolda mposolda at redhat.com
Wed Mar 27 15:36:54 EDT 2019 

On 26/03/2019 21:02, Ryan Slominski wrote:
> With the "LDAP" User Storage Provider you can configure authentication with a Kerberos password, but disable SPENGO.  The admin web interface labels this "Allow Kerberos Authentication" (seems like a bad label).  However, with the "Kerberos" User Storage Provider there is no such option.  Is there a reason, or can this be added?
It is not on the Kerberos provider as when you configured "Kerberos" 
provider, there is an assumption that you will want SPNEGO integration.
>
> Going a step further, the option to request SPENGO be disabled via url parameter (regardless of LDAP vs Kerberos User Storage Provider) was discussed years ago (http://lists.jboss.org/pipermail/keycloak-dev/2015-October/005399.html) with no resolution.   Where are we with this?   Either the parameter approach or some sort of support for "Switch User" would be appreciated because it is very tricky to accommodate with the current API.  Currently I'm using a brokered identity provider which is a duplicate of the primary realm minus SPNEGO support.  Then client applications are coded with a "switch user" link that uses the idp_hint parameter to indicate the special su brokered realm be used.   Seems unnecessarily complex.    Maybe I'm missing something easier?

There is nothing easier ATM and nothing was done in the end.

I was thinking about another option (maybe it was discussed in the 
thread, but not 100% sure...) to use "prompt=select_account" parameter 
supported by OIDC protocol. The original pupose of the 
"prompt=select_account" is maybe a bit different - it allows you to 
choose the account when you're somehow authenticated to multiple 
accounts. However I can see the usage for the use-cases like SPNEGO or 
X.509 authentication, that when the parameter is used, it will show the 
confirmation screen (aka "Is this you?" screen) where user will confirm 
that he wants to authenticate with his SPNEGO/X509 identity.

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list