As I commented in the original thread I don't think this is a good idea. Users that have configured their browser has to set a specific domain to enable Kerberos as well as be logged-in using Kerberos to their desktop. With that in mind 99% of users will want to log in with Kerberos 99% of the time. So requiring and extra step in the flow is not nice.

Let's please return this conversation to the original thread though, rather than start another thread.

On 2 October 2015 at 17:23, Bill Burke <bburke@redhat.com> wrote:

I would like to take the Account Chooser approach to the Kerberos bypass
situation. The Flow would be:

1. Cookie - ALTERNATIVE
2. Chooser Flow - ALTERNATIVE
a. Kerberos - OPTIONAL
b. Account Chooser - ALTERNATIVE
c. Forms ALTERNATIVE
i. Username/Password - REQUIRED
ii. OTP - OPTIONAL

* An "accounts used" cookie needs to be optionally set depending on
"remember me" switch. This should be a persistent cookie.
* Account Chooser page is always shown unless the "account used" cookie
is empty and no ClientSessionModel.getAuthenticatedUser is set.
* If selected user == current ClientSessionModel.getAuthenticatedUser
then return SUCCESSFUL
* If selected user != NULL set ClientSessionModel.getAuthenticatedUser,
return ATTEMPTED
* If selected user == NULL clear
ClientSessionModel.getAuthenticatedUser, return ATTEMPTED

* Username/Password Form Authenticator does not display username,
registration, and broker links if getAuthenticatedUser is already set
* An improvement can be made to also perform OTP input on
Username/Password page if a UserModel is already chosen.

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev