Sorry for late reply.
On 10/1/2015 3:13 AM, Stian Thorgersen wrote:
* If a user that was logged in using Kerberos logs out the user
should
not just be automatically logged-in again for the current browser
session. Instead the user should be displayed with a regular
username/password field, but also with an option to login with Kerberos
Don't like this idea.
#1 Users that want to bypass kerberos have to know to logout first so
they can login as a non-kerberos user.
#2 username/password screen would have to have knowledge that kerberos
is turned on and that the user was logged in via kerberos. I'm don't
think this is possible with the current SPI.
* A variant on the above where if a user has logged-out from
Kerberos
the user would be displayed with a "Is this you?" when login, if the
user selects yes the Kerberos authenticator would continue, if not the
regular username/password form would be displayed
This one might be easy to do with current SPI although not sure if
kerberos plugin sets some session variables that need to be cleared.
* Implement account switcher - where a user can login to multiple
accounts at a time and select which account to use
Not sure how this is different than "Is this you?".
Other ideas? Points for ideas that requires no hacks in applications
;)
idp_hint is a much different animal, isn't it? idp_hint is provided by
the application. skip_auth_mechanism would be something the user has to
know about to type in the URL right?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com