Why can't we have two separate authentication mechanisms - one IWA, in which case the
user is logged in automatically and on logout he is taken to a login page where a diff
userid can be entered and two, a login page that allows userid/password? That would
address our use case.
Sent from my iPhone
On Jul 23, 2015, at 10:50 AM, Marek Posolda
<mposolda(a)redhat.com> wrote:
Maybe it can be configurable for the kerberos mechanism? Just the flag
"login automatically" . If it's off, another confirmation screen for the
user will be displayed?
Marek
> On 23.7.2015 16:36, Stian Thorgersen wrote:
> "Is this you?"
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>
>> With the new flows, we could detect a kerberos login then ask if they
>> want to login as that user or another.
>>
>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>> Do you want that for normal users or just for admin users? Just trying
>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>> you login into the desktop and then you're automatically logged into
>>> integrated web applications without need to deal with any login screens
>>> and username/password. When user has just one keycloak account
>>> corresponding to his kerberos ticket, then why he need to login as
>>> different user?
>>>
>>> I can understand the usecase for admin, when you want to login as
>>> different user for testing purpose etc. For this, isn't it possible in
>>> windows to do something like "kdestroy" to be able to login
without
>>> kerberos?
>>>
>>> Marek
>>>
>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>> Isn't it possible to create a cookie or add an url parameter after
the
>>>> logout, so the user is not logged in automatically?
>>>>
>>>> It's crucial for us to be able to log in as a different user,
>>>> otherwise we can not use kerberos at all :(
>>>>
>>>> Michael
>>>>
>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
<mposolda(a)redhat.com>:
>>>>>
>>>>> I don't think it's doable. Kerberos is kind of desktop login
and
>>>>> logout from the web application won't destroy the kerberos ticket
-
>>>>> similarly like it can't logout your laptop/desktop session. So
when
>>>>> you visit the secured application next time, you are automatically
>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>
>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>> "kdestroy" works on Linux, but I guess you're using
Windows +
>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>> screen and login as different user.
>>>>>
>>>>> Marek
>>>>>
>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I use LDAP with Kerberos and would like to logout and login
again
>>>>>> with a different user (no kerberos login, just keycloak username
and
>>>>>> password dialog).
>>>>>> Is that possible?
>>>>>>
>>>>>> cheers
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user