Re: [keycloak-user] LDAP with Kerberos, login with different user

Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case. Sent from my iPhone > On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > > Maybe it can be configurable for the kerberos mechanism? Just the flag > "login automatically" . If it's off, another confirmation screen for the > user will be displayed? > > Marek > >> On 23.7.2015 16:36, Stian Thorgersen wrote: >> "Is this you?" >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: keycloak-user(a)lists.jboss.org >>> Sent: Thursday, 23 July, 2015 4:02:53 PM >>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user >>> >>> With the new flows, we could detect a kerberos login then ask if they >>> want to login as that user or another. >>> >>>> On 7/23/2015 2:26 AM, Marek Posolda wrote: >>>> Do you want that for normal users or just for admin users? Just trying >>>> to understand the usecase. Because AFAIK the point of kerberos is, that >>>> you login into the desktop and then you're automatically logged into >>>> integrated web applications without need to deal with any login screens >>>> and username/password. When user has just one keycloak account >>>> corresponding to his kerberos ticket, then why he need to login as >>>> different user? >>>> >>>> I can understand the usecase for admin, when you want to login as >>>> different user for testing purpose etc. For this, isn't it possible in >>>> windows to do something like "kdestroy" to be able to login without >>>> kerberos? >>>> >>>> Marek >>>> >>>>> On 23.7.2015 07:44, Michael Gerber wrote: >>>>> Isn't it possible to create a cookie or add an url parameter after the >>>>> logout, so the user is not logged in automatically? >>>>> >>>>> It's crucial for us to be able to log in as a different user, >>>>> otherwise we can not use kerberos at all :( >>>>> >>>>> Michael >>>>> >>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com&gt;: >>>>>> >>>>>> I don't think it's doable. Kerberos is kind of desktop login and >>>>>> logout from the web application won't destroy the kerberos ticket - >>>>>> similarly like it can't logout your laptop/desktop session. So when >>>>>> you visit the secured application next time, you are automatically >>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket. >>>>>> >>>>>> Hence you need to remove kerberos ticket manually (For example >>>>>> "kdestroy" works on Linux, but I guess you're using Windows + >>>>>> ActiveDirectory? ) and then you will be able to see keycloak login >>>>>> screen and login as different user. >>>>>> >>>>>> Marek >>>>>> >>>>>>> On 22.7.2015 15:38, Michael Gerber wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> I use LDAP with Kerberos and would like to logout and login again >>>>>>> with a different user (no kerberos login, just keycloak username and >>>>>>> password dialog). >>>>>>> Is that possible? >>>>>>> >>>>>>> cheers >>>>>>> Michael >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user(a)lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user