<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Yes, feel free to create JIRA with the
link to this discussion.<br>
<br>
Marek<br>
<br>
On 28.7.2015 08:03, Michael Gerber wrote:<br>
</div>
<blockquote cite="mid:02df0f9e-faae-4124-a5f7-c31cbc2dde13@me.com"
type="cite">
<div>Should I create a Jira issue for that task?</div>
<div>Or will you anyway implement something in this direction?</div>
<div><br>
Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen
<a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>:<br>
<br>
</div>
<div>
<blockquote type="cite">
<div class="msg-quote">
<div class="_stretch"><span class="body-text-content"><span
class="body-text-content"><br>
<br>
----- Original Message -----<br>
</span></span>
<blockquote class="quoted-plain-text" type="cite">From:
"Marek Posolda" <<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>></blockquote>
<blockquote class="quoted-plain-text" type="cite">To:
"Raghu Prabhala" <<a moz-do-not-send="true"
href="mailto:prabhalar@yahoo.com"
data-mce-href="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>>,
"Bill Burke" <<a moz-do-not-send="true"
href="mailto:bburke@redhat.com"
data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>></blockquote>
<blockquote class="quoted-plain-text" type="cite">Cc:
"Stian Thorgersen" <<a moz-do-not-send="true"
href="mailto:stian@redhat.com"
data-mce-href="mailto:stian@redhat.com">stian@redhat.com</a>>,
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">Sent:
Friday, 24 July, 2015 9:49:45 AM</blockquote>
<blockquote class="quoted-plain-text" type="cite">Subject:
Re: [keycloak-user] LDAP with Kerberos, login with
different user</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">Support
for prompt=select_account will be cool. Another
suggestion for</blockquote>
<blockquote class="quoted-plain-text" type="cite">adding
query parameter for skip some mechanisms (like</blockquote>
<blockquote class="quoted-plain-text" type="cite">skipAuthMechanism=cookie,kerberos
) might be good too.</blockquote>
<span class="body-text-content"><span
class="body-text-content"><br>
That'll only make sense if we also add support to
allow multiple accounts, which could be fairly easy on
the server-side, but much harder to support in
adapters.<br>
<br>
</span></span>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">Not sure
if we need to support both, but IMO it will be good to
have</blockquote>
<blockquote class="quoted-plain-text" type="cite">solution
not tightly coupled to Kerberos. I can imagine similar</blockquote>
<blockquote class="quoted-plain-text" type="cite">situation
with other login mechanisms as well. For example with</blockquote>
<blockquote class="quoted-plain-text" type="cite">authenticating
users by certificate, admin may also want to skip</blockquote>
<blockquote class="quoted-plain-text" type="cite">automatic
login with the certificate from his browser and instead
login</blockquote>
<blockquote class="quoted-plain-text" type="cite">with
username/password form.</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">Marek</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">On
23.7.2015 17:43, Raghu Prabhala wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">> The
select account prompt wouldn't work for us as some of
our applications</blockquote>
<blockquote class="quoted-plain-text" type="cite">>
require that the user login only by entering userid/pw
but your other</blockquote>
<blockquote class="quoted-plain-text" type="cite">>
suggestion might work as long as we do the Kerberos
authentication using</blockquote>
<blockquote class="quoted-plain-text" type="cite">>
Id/ow</blockquote>
<blockquote class="quoted-plain-text" type="cite">></blockquote>
<blockquote class="quoted-plain-text" type="cite">>
Sent from my iPhone</blockquote>
<blockquote class="quoted-plain-text" type="cite">></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
On Jul 23, 2015, at 11:28 AM, Bill Burke <<a
moz-do-not-send="true" href="mailto:bburke@redhat.com"
data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>>
wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
All this interaction is defined by the SAML and OIDC
specifications.</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
Logout redirects you back to the application and its up
to the</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
application what to do next. We could add a query param
that if it is</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
set, to not do kerberos. This could be in addition to
the "login</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
automatically" flag.</blockquote>
<blockquote class="quoted-plain-text" type="cite">>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>
On 7/23/2015 11:14 AM, Raghu Prabhala wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>
Why can't we have two separate authentication mechanisms
- one IWA, in</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>
which case the user is logged in automatically and on
logout he is taken</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>
to a login page where a diff userid can be entered and
two, a login page</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>
that allows userid/password? That would address our use
case.</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>
Sent from my iPhone</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
On Jul 23, 2015, at 10:50 AM, Marek Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>
wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
Maybe it can be configurable for the kerberos mechanism?
Just the flag</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
"login automatically" . If it's off, another
confirmation screen for the</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
user will be displayed?</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
Marek</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
On 23.7.2015 16:36, Stian Thorgersen wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
"Is this you?"</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
----- Original Message -----</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
From: "Bill Burke" <<a moz-do-not-send="true"
href="mailto:bburke@redhat.com"
data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
To: <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
Sent: Thursday, 23 July, 2015 4:02:53 PM</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
Subject: Re: [keycloak-user] LDAP with Kerberos, login
with different</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
user</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
With the new flows, we could detect a kerberos login
then ask if they</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
want to login as that user or another.</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
On 7/23/2015 2:26 AM, Marek Posolda wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
Do you want that for normal users or just for admin
users? Just</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
trying</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
to understand the usecase. Because AFAIK the point of
kerberos is,</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
that</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
you login into the desktop and then you're automatically
logged into</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
integrated web applications without need to deal with
any login</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
screens</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
and username/password. When user has just one keycloak
account</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
corresponding to his kerberos ticket, then why he need
to login as</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
different user?</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
I can understand the usecase for admin, when you want to
login as</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
different user for testing purpose etc. For this, isn't
it possible</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
in</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
windows to do something like "kdestroy" to be able to
login without</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
kerberos?</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
Marek</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
On 23.7.2015 07:44, Michael Gerber wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
Isn't it possible to create a cookie or add an url
parameter after</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
the</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
logout, so the user is not logged in automatically?</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
It's crucial for us to be able to log in as a different
user,</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
otherwise we can not use kerberos at all :(</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>
Michael</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
<<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
I don't think it's doable. Kerberos is kind of desktop
login and</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
logout from the web application won't destroy the
kerberos ticket -</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
similarly like it can't logout your laptop/desktop
session. So when</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
you visit the secured application next time, you are
automatically</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
logged into Keycloak through SPNEGO due to the Kerberos
ticket.</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
Hence you need to remove kerberos ticket manually (For
example</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
"kdestroy" works on Linux, but I guess you're using
Windows +</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
ActiveDirectory? ) and then you will be able to see
keycloak login</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
screen and login as different user.</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>
Marek</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
On 22.7.2015 15:38, Michael Gerber wrote:</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
Hi all,</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
I use LDAP with Kerberos and would like to logout and
login again</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
with a different user (no kerberos login, just keycloak
username</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
and</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
password dialog).</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
Is that possible?</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
cheers</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
Michael</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
_______________________________________________</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
keycloak-user mailing list</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>>>>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
_______________________________________________</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
keycloak-user mailing list</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
--</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
Bill Burke</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
JBoss, a division of Red Hat</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
_______________________________________________</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
keycloak-user mailing list</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
_______________________________________________</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
keycloak-user mailing list</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
_______________________________________________</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
keycloak-user mailing list</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>>>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
--</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
Bill Burke</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
JBoss, a division of Red Hat</blockquote>
<blockquote class="quoted-plain-text" type="cite">>>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<span class="body-text-content">_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</span></div>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>