<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Maybe we can have special request
parameter, which will be send from application to login screen.
The parameter will contain list of authentication mechanisms,
which you want to skip for this login. Something like
"skipAuthType=cookie,kerberos" . The list of skipped alternative
mechanisms will be saved in ClientSession, so authentication SPI
can deal with it. <br>
<br>
Not sure if it makes sense to add support into adapter, but maybe
something basic (like we have for parameters "login_hint" or
"kc_idp_hint" in keycloak.js) can be added as well?<br>
<br>
Marek<br>
<br>
On 23.7.2015 08:26, Marek Posolda wrote:<br>
</div>
<blockquote cite="mid:55B088FD.2020505@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Do you want that for normal users or
just for admin users? Just trying to understand the usecase.
Because AFAIK the point of kerberos is, that you login into the
desktop and then you're automatically logged into integrated web
applications without need to deal with any login screens and
username/password. When user has just one keycloak account
corresponding to his kerberos ticket, then why he need to login
as different user?<br>
<br>
I can understand the usecase for admin, when you want to login
as different user for testing purpose etc. For this, isn't it
possible in windows to do something like "kdestroy" to be able
to login without kerberos?<br>
<br>
Marek<br>
<br>
On 23.7.2015 07:44, Michael Gerber wrote:<br>
</div>
<blockquote cite="mid:adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com"
type="cite">
<div>Isn't it possible to create a cookie or add an url
parameter after the logout, so the user is not logged in
automatically?</div>
<div><br>
</div>
<div>It's crucial for us to be able to log in as a different
user, otherwise we can not use kerberos at all :(</div>
<div><br>
</div>
<div>Michael</div>
<div><br>
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:mposolda@redhat.com"><mposolda@redhat.com></a>:<br>
<br>
</div>
<div>
<div>
<blockquote type="cite">
<div class="msg-quote">
<div class="moz-cite-prefix">I don't think it's doable.
Kerberos is kind of desktop login and logout from the
web application won't destroy the kerberos ticket -
similarly like it can't logout your laptop/desktop
session. So when you visit the secured application
next time, you are automatically logged into Keycloak
through SPNEGO due to the Kerberos ticket. <br>
<br>
Hence you need to remove kerberos ticket manually (For
example "kdestroy" works on Linux, but I guess you're
using Windows + ActiveDirectory? ) and then you will
be able to see keycloak login screen and login as
different user.<br>
<br>
Marek<br>
<br>
On 22.7.2015 15:38, Michael Gerber wrote:<br>
</div>
<blockquote type="cite">
<div>Hi all,</div>
<div><br>
</div>
<div>I use LDAP with Kerberos and would like to logout
and login again with a different user (no kerberos
login, just keycloak username and password dialog).</div>
<div>Is that possible? </div>
<div><br>
</div>
<div>cheers</div>
<div>Michael</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
<style class="_message-styles">div.msg-quote { background-color:#FFFFFF;}
</style></blockquote>
<br>
</blockquote>
<br>
</body>
</html>