Yes, feel free to create JIRA with the
link to this discussion.
Marek
On 28.7.2015 08:03, Michael Gerber wrote:
Should I create a Jira issue for that task?
Or will you anyway implement something in this direction?
----- Original Message -----
From:
"Marek Posolda" <mposolda@redhat.com>
To:
"Raghu Prabhala" <prabhalar@yahoo.com>,
"Bill Burke" <bburke@redhat.com>
Cc:
"Stian Thorgersen" <stian@redhat.com>,
keycloak-user@lists.jboss.org
Sent:
Friday, 24 July, 2015 9:49:45 AM
Subject:
Re: [keycloak-user] LDAP with Kerberos, login with
different user
Support
for prompt=select_account will be cool. Another
suggestion for
adding
query parameter for skip some mechanisms (like
skipAuthMechanism=cookie,kerberos
) might be good too.
That'll only make sense if we also add support to
allow multiple accounts, which could be fairly easy on
the server-side, but much harder to support in
adapters.
Not sure
if we need to support both, but IMO it will be good to
have
solution
not tightly coupled to Kerberos. I can imagine similar
situation
with other login mechanisms as well. For example with
authenticating
users by certificate, admin may also want to skip
automatic
login with the certificate from his browser and instead
login
with
username/password form.
Marek
On
23.7.2015 17:43, Raghu Prabhala wrote:
> The
select account prompt wouldn't work for us as some of
our applications
>
require that the user login only by entering userid/pw
but your other
>
suggestion might work as long as we do the Kerberos
authentication using
>
Id/ow
>
>
Sent from my iPhone
>
>>
On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke@redhat.com>
wrote:
>>
>>
All this interaction is defined by the SAML and OIDC
specifications.
>>
Logout redirects you back to the application and its up
to the
>>
application what to do next. We could add a query param
that if it is
>>
set, to not do kerberos. This could be in addition to
the "login
>>
automatically" flag.
>>
>>
>>>
On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>>>
Why can't we have two separate authentication mechanisms
- one IWA, in
>>>
which case the user is logged in automatically and on
logout he is taken
>>>
to a login page where a diff userid can be entered and
two, a login page
>>>
that allows userid/password? That would address our use
case.
>>>
>>>
>>>
>>>
Sent from my iPhone
>>>
>>>>
On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda@redhat.com>
wrote:
>>>>
>>>>
Maybe it can be configurable for the kerberos mechanism?
Just the flag
>>>>
"login automatically" . If it's off, another
confirmation screen for the
>>>>
user will be displayed?
>>>>
>>>>
Marek
>>>>
>>>>>
On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>>>
"Is this you?"
>>>>>
>>>>>
----- Original Message -----
>>>>>>
From: "Bill Burke" <bburke@redhat.com>
>>>>>>
To: keycloak-user@lists.jboss.org
>>>>>>
Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>>>
Subject: Re: [keycloak-user] LDAP with Kerberos, login
with different
>>>>>>
user
>>>>>>
>>>>>>
With the new flows, we could detect a kerberos login
then ask if they
>>>>>>
want to login as that user or another.
>>>>>>
>>>>>>>
On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>>>
Do you want that for normal users or just for admin
users? Just
>>>>>>>
trying
>>>>>>>
to understand the usecase. Because AFAIK the point of
kerberos is,
>>>>>>>
that
>>>>>>>
you login into the desktop and then you're automatically
logged into
>>>>>>>
integrated web applications without need to deal with
any login
>>>>>>>
screens
>>>>>>>
and username/password. When user has just one keycloak
account
>>>>>>>
corresponding to his kerberos ticket, then why he need
to login as
>>>>>>>
different user?
>>>>>>>
>>>>>>>
I can understand the usecase for admin, when you want to
login as
>>>>>>>
different user for testing purpose etc. For this, isn't
it possible
>>>>>>>
in
>>>>>>>
windows to do something like "kdestroy" to be able to
login without
>>>>>>>
kerberos?
>>>>>>>
>>>>>>>
Marek
>>>>>>>
>>>>>>>>
On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>>>
Isn't it possible to create a cookie or add an url
parameter after
>>>>>>>>
the
>>>>>>>>
logout, so the user is not logged in automatically?
>>>>>>>>
>>>>>>>>
It's crucial for us to be able to log in as a different
user,
>>>>>>>>
otherwise we can not use kerberos at all :(
>>>>>>>>
>>>>>>>>
Michael
>>>>>>>>
>>>>>>>>>
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
>>>>>>>>>
<mposolda@redhat.com>:
>>>>>>>>>
>>>>>>>>>
I don't think it's doable. Kerberos is kind of desktop
login and
>>>>>>>>>
logout from the web application won't destroy the
kerberos ticket -
>>>>>>>>>
similarly like it can't logout your laptop/desktop
session. So when
>>>>>>>>>
you visit the secured application next time, you are
automatically
>>>>>>>>>
logged into Keycloak through SPNEGO due to the Kerberos
ticket.
>>>>>>>>>
>>>>>>>>>
Hence you need to remove kerberos ticket manually (For
example
>>>>>>>>>
"kdestroy" works on Linux, but I guess you're using
Windows +
>>>>>>>>>
ActiveDirectory? ) and then you will be able to see
keycloak login
>>>>>>>>>
screen and login as different user.
>>>>>>>>>
>>>>>>>>>
Marek
>>>>>>>>>
>>>>>>>>>>
On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>>>
Hi all,
>>>>>>>>>>
>>>>>>>>>>
I use LDAP with Kerberos and would like to logout and
login again
>>>>>>>>>>
with a different user (no kerberos login, just keycloak
username
>>>>>>>>>>
and
>>>>>>>>>>
password dialog).
>>>>>>>>>>
Is that possible?
>>>>>>>>>>
>>>>>>>>>>
cheers
>>>>>>>>>>
Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
_______________________________________________
>>>>>>>>>>
keycloak-user mailing list
>>>>>>>>>>
keycloak-user@lists.jboss.org
>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
_______________________________________________
>>>>>>>
keycloak-user mailing list
>>>>>>>
keycloak-user@lists.jboss.org
>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
--
>>>>>>
Bill Burke
>>>>>>
JBoss, a division of Red Hat
>>>>>>
http://bill.burkecentral.com
>>>>>>
_______________________________________________
>>>>>>
keycloak-user mailing list
>>>>>>
keycloak-user@lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
_______________________________________________
>>>>>
keycloak-user mailing list
>>>>>
keycloak-user@lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
_______________________________________________
>>>>
keycloak-user mailing list
>>>>
keycloak-user@lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
--
>>
Bill Burke
>>
JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user