The select account prompt wouldn't work for us as some of our applications require
that the user login only by entering userid/pw but your other suggestion might work as
long as we do the Kerberos authentication using Id/ow
Sent from my iPhone
On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke(a)redhat.com>
wrote:
All this interaction is defined by the SAML and OIDC specifications. Logout redirects you
back to the application and its up to the application what to do next. We could add a
query param that if it is set, to not do kerberos. This could be in addition to the
"login automatically" flag.
> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
> Why can't we have two separate authentication mechanisms - one IWA, in which case
the user is logged in automatically and on logout he is taken to a login page where a diff
userid can be entered and two, a login page that allows userid/password? That would
address our use case.
>
>
>
> Sent from my iPhone
>
>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
>>
>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>> "login automatically" . If it's off, another confirmation screen
for the
>> user will be displayed?
>>
>> Marek
>>
>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>> "Is this you?"
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-user(a)lists.jboss.org
>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
user
>>>>
>>>> With the new flows, we could detect a kerberos login then ask if they
>>>> want to login as that user or another.
>>>>
>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>> Do you want that for normal users or just for admin users? Just
trying
>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
that
>>>>> you login into the desktop and then you're automatically logged
into
>>>>> integrated web applications without need to deal with any login
screens
>>>>> and username/password. When user has just one keycloak account
>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>> different user?
>>>>>
>>>>> I can understand the usecase for admin, when you want to login as
>>>>> different user for testing purpose etc. For this, isn't it
possible in
>>>>> windows to do something like "kdestroy" to be able to login
without
>>>>> kerberos?
>>>>>
>>>>> Marek
>>>>>
>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>> Isn't it possible to create a cookie or add an url parameter
after the
>>>>>> logout, so the user is not logged in automatically?
>>>>>>
>>>>>> It's crucial for us to be able to log in as a different
user,
>>>>>> otherwise we can not use kerberos at all :(
>>>>>>
>>>>>> Michael
>>>>>>
>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
<mposolda(a)redhat.com>:
>>>>>>>
>>>>>>> I don't think it's doable. Kerberos is kind of
desktop login and
>>>>>>> logout from the web application won't destroy the
kerberos ticket -
>>>>>>> similarly like it can't logout your laptop/desktop
session. So when
>>>>>>> you visit the secured application next time, you are
automatically
>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos
ticket.
>>>>>>>
>>>>>>> Hence you need to remove kerberos ticket manually (For
example
>>>>>>> "kdestroy" works on Linux, but I guess you're
using Windows +
>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak
login
>>>>>>> screen and login as different user.
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I use LDAP with Kerberos and would like to logout and
login again
>>>>>>>> with a different user (no kerberos login, just keycloak
username and
>>>>>>>> password dialog).
>>>>>>>> Is that possible?
>>>>>>>>
>>>>>>>> cheers
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>>
http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com