<html><body><div>Should I create a Jira issue for that task?</div><div>Or will you anyway implement something in this direction?</div><div><br>Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian@redhat.com>:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content"><br><br>----- Original Message -----<br></span></span><blockquote class="quoted-plain-text" type="cite">From: "Marek Posolda" <<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>></blockquote><blockquote class="quoted-plain-text" type="cite">To: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" data-mce-href="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>>, "Bill Burke" <<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>></blockquote><blockquote class="quoted-plain-text" type="cite">Cc: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" data-mce-href="mailto:stian@redhat.com">stian@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">Sent: Friday, 24 July, 2015 9:49:45 AM</blockquote><blockquote class="quoted-plain-text" type="cite">Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Support for prompt=select_account will be cool. Another suggestion for</blockquote><blockquote class="quoted-plain-text" type="cite">adding query parameter for skip some mechanisms (like</blockquote><blockquote class="quoted-plain-text" type="cite">skipAuthMechanism=cookie,kerberos ) might be good too.</blockquote><span class="body-text-content"><span class="body-text-content"><br>That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters.<br><br></span></span><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Not sure if we need to support both, but IMO it will be good to have</blockquote><blockquote class="quoted-plain-text" type="cite">solution not tightly coupled to Kerberos. I can imagine similar</blockquote><blockquote class="quoted-plain-text" type="cite">situation with other login mechanisms as well. For example with</blockquote><blockquote class="quoted-plain-text" type="cite">authenticating users by certificate, admin may also want to skip</blockquote><blockquote class="quoted-plain-text" type="cite">automatic login with the certificate from his browser and instead login</blockquote><blockquote class="quoted-plain-text" type="cite">with username/password form.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Marek</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 23.7.2015 17:43, Raghu Prabhala wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">> The select account prompt wouldn't work for us as some of our applications</blockquote><blockquote class="quoted-plain-text" type="cite">> require that the user login only by entering userid/pw but your other</blockquote><blockquote class="quoted-plain-text" type="cite">> suggestion might work as long as we do the Kerberos authentication using</blockquote><blockquote class="quoted-plain-text" type="cite">> Id/ow</blockquote><blockquote class="quoted-plain-text" type="cite">></blockquote><blockquote class="quoted-plain-text" type="cite">> Sent from my iPhone</blockquote><blockquote class="quoted-plain-text" type="cite">></blockquote><blockquote class="quoted-plain-text" type="cite">>> On Jul 23, 2015, at 11:28 AM, Bill Burke <<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>></blockquote><blockquote class="quoted-plain-text" type="cite">>> All this interaction is defined by the SAML and OIDC specifications.</blockquote><blockquote class="quoted-plain-text" type="cite">>> Logout redirects you back to the application and its up to the</blockquote><blockquote class="quoted-plain-text" type="cite">>> application what to do next. We could add a query param that if it is</blockquote><blockquote class="quoted-plain-text" type="cite">>> set, to not do kerberos. This could be in addition to the "login</blockquote><blockquote class="quoted-plain-text" type="cite">>> automatically" flag.</blockquote><blockquote class="quoted-plain-text" type="cite">>></blockquote><blockquote class="quoted-plain-text" type="cite">>></blockquote><blockquote class="quoted-plain-text" type="cite">>>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>>> Why can't we have two separate authentication mechanisms - one IWA, in</blockquote><blockquote class="quoted-plain-text" type="cite">>>> which case the user is logged in automatically and on logout he is taken</blockquote><blockquote class="quoted-plain-text" type="cite">>>> to a login page where a diff userid can be entered and two, a login page</blockquote><blockquote class="quoted-plain-text" type="cite">>>> that allows userid/password? That would address our use case.</blockquote><blockquote class="quoted-plain-text" type="cite">>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>> Sent from my iPhone</blockquote><blockquote class="quoted-plain-text" type="cite">>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>> Maybe it can be configurable for the kerberos mechanism? Just the flag</blockquote><blockquote class="quoted-plain-text" type="cite">>>>> "login automatically" . If it's off, another confirmation screen for the</blockquote><blockquote class="quoted-plain-text" type="cite">>>>> user will be displayed?</blockquote><blockquote class="quoted-plain-text" type="cite">>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>> Marek</blockquote><blockquote class="quoted-plain-text" type="cite">>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> "Is this you?"</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> ----- Original Message -----</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> From: "Bill Burke" <<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> To: <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> user</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> With the new flows, we could detect a kerberos login then ask if they</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> want to login as that user or another.</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> Do you want that for normal users or just for admin users? Just</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> trying</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> that</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> you login into the desktop and then you're automatically logged into</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> integrated web applications without need to deal with any login</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> screens</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> and username/password. When user has just one keycloak account</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> corresponding to his kerberos ticket, then why he need to login as</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> different user?</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> I can understand the usecase for admin, when you want to login as</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> different user for testing purpose etc. For this, isn't it possible</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> in</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> windows to do something like "kdestroy" to be able to login without</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> kerberos?</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> Marek</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> Isn't it possible to create a cookie or add an url parameter after</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> the</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> logout, so the user is not logged in automatically?</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> It's crucial for us to be able to log in as a different user,</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> otherwise we can not use kerberos at all :(</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>> Michael</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> <<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>:</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> logout from the web application won't destroy the kerberos ticket -</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> similarly like it can't logout your laptop/desktop session. So when</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> you visit the secured application next time, you are automatically</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> Hence you need to remove kerberos ticket manually (For example</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> screen and login as different user.</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>> Marek</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> Hi all,</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> with a different user (no kerberos login, just keycloak username</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> and</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> password dialog).</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> Is that possible?</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> cheers</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> Michael</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> _______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> keycloak-user mailing list</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> _______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> keycloak-user mailing list</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> --</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> Bill Burke</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> JBoss, a division of Red Hat</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> <a href="http://bill.burkecentral.com" data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> _______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> keycloak-user mailing list</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> _______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> keycloak-user mailing list</blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>> _______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">>>>> keycloak-user mailing list</blockquote><blockquote class="quoted-plain-text" type="cite">>>>> <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote><blockquote class="quoted-plain-text" type="cite">>> --</blockquote><blockquote class="quoted-plain-text" type="cite">>> Bill Burke</blockquote><blockquote class="quoted-plain-text" type="cite">>> JBoss, a division of Red Hat</blockquote><blockquote class="quoted-plain-text" type="cite">>> <a href="http://bill.burkecentral.com" data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><span class="body-text-content">_______________________________________________<br>keycloak-user mailing list<br><a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></span></div></div></blockquote></div></body></html>