Re: [keycloak-user] kc_idp_hint for Kerberos
I see your concerns. ATM there is nothing available OOTB, but OIDC
specification has some support for authentication levels, which we plan
to add. Then you will be able to define in your application if you want
"normal" level login (which can use Kerberos) or "admin" level login
(which won't use kerberos).
Until that, you will need to subclass SpnegoAuthenticator and do
something on your own.
Marek
On 14/03/17 13:52, Glenn Campbell wrote:
Is there some mechanism similar to kc_idp_hint=login that will let me
skip
authentication via Kerberos ticket and let me log in via the Keycloak login
page?
My situation is that I have admin user accounts in my application but users
don't log in to Windows with these accounts. So UserA logs in to Windows
with his UserA account but sometimes needs to log in to my application as
AdminX.
I see that I can use impersonation from the Keycloak admin console to
impersonate AdminX and then open a browser tab and go to my application and
I'll be logged in to my application as AdminX. But this strategy is a
little inconvenient for users to use on a daily basis. Not horrible by any
means but I'm sure I'll get some complaints. More importantly these users
are admins in my application but they are not Keycloak admins and I'd
rather not have them mucking around in the Keycloak admin console.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user