Maybe we can have special
request parameter, which will be send from application
to login screen. The parameter will contain list of
authentication mechanisms, which you want to skip for
this login. Something like
"skipAuthType=cookie,kerberos" . The list of skipped
alternative mechanisms will be saved in ClientSession,
so authentication SPI can deal with it.
Not sure if it makes sense to add support into adapter,
but maybe something basic (like we have for parameters
"login_hint" or "kc_idp_hint" in keycloak.js) can be
added as well?
Marek
On 23.7.2015 08:26, Marek Posolda wrote:
Do you want that for normal
users or just for admin users? Just trying to
understand the usecase. Because AFAIK the point of
kerberos is, that you login into the desktop and then
you're automatically logged into integrated web
applications without need to deal with any login
screens and username/password. When user has just one
keycloak account corresponding to his kerberos ticket,
then why he need to login as different user?
I can understand the usecase for admin, when you want
to login as different user for testing purpose etc.
For this, isn't it possible in windows to do something
like "kdestroy" to be able to login without kerberos?
Marek
On 23.7.2015 07:44, Michael Gerber wrote:
Isn't it possible to create a cookie or add an
url parameter after the logout, so the user is not
logged in automatically?
It's crucial for us to be able to log in as a
different user, otherwise we can not use kerberos at
all :(
Michael
I don't think
it's doable. Kerberos is kind of desktop
login and logout from the web application
won't destroy the kerberos ticket -
similarly like it can't logout your
laptop/desktop session. So when you visit
the secured application next time, you are
automatically logged into Keycloak through
SPNEGO due to the Kerberos ticket.
Hence you need to remove kerberos ticket
manually (For example "kdestroy" works on
Linux, but I guess you're using Windows +
ActiveDirectory? ) and then you will be able
to see keycloak login screen and login as
different user.
Marek
On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,
I use LDAP with Kerberos and would like
to logout and login again with a different
user (no kerberos login, just keycloak
username and password dialog).
Is that possible?
cheers
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user