Maybe it can be configurable for the kerberos mechanism? Just the flag
"login automatically" . If it's off, another confirmation screen for the
user will be displayed?
Marek
On 23.7.2015 16:36, Stian Thorgersen wrote:
"Is this you?"
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 23 July, 2015 4:02:53 PM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>
> With the new flows, we could detect a kerberos login then ask if they
> want to login as that user or another.
>
> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>> Do you want that for normal users or just for admin users? Just trying
>> to understand the usecase. Because AFAIK the point of kerberos is, that
>> you login into the desktop and then you're automatically logged into
>> integrated web applications without need to deal with any login screens
>> and username/password. When user has just one keycloak account
>> corresponding to his kerberos ticket, then why he need to login as
>> different user?
>>
>> I can understand the usecase for admin, when you want to login as
>> different user for testing purpose etc. For this, isn't it possible in
>> windows to do something like "kdestroy" to be able to login without
>> kerberos?
>>
>> Marek
>>
>> On 23.7.2015 07:44, Michael Gerber wrote:
>>> Isn't it possible to create a cookie or add an url parameter after the
>>> logout, so the user is not logged in automatically?
>>>
>>> It's crucial for us to be able to log in as a different user,
>>> otherwise we can not use kerberos at all :(
>>>
>>> Michael
>>>
>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com>:
>>>
>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>> logout from the web application won't destroy the kerberos ticket -
>>>> similarly like it can't logout your laptop/desktop session. So when
>>>> you visit the secured application next time, you are automatically
>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>
>>>> Hence you need to remove kerberos ticket manually (For example
>>>> "kdestroy" works on Linux, but I guess you're using Windows
+
>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>> screen and login as different user.
>>>>
>>>> Marek
>>>>
>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>> Hi all,
>>>>>
>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>> with a different user (no kerberos login, just keycloak username and
>>>>> password dialog).
>>>>> Is that possible?
>>>>>
>>>>> cheers
>>>>> Michael
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user