----- Original Message -----

From: "Michael Gerber" <gerbermichi@me.com>

To: "Marek Posolda" <mposolda@redhat.com>

Cc: keycloak-user@lists.jboss.org

Sent: Thursday, 23 July, 2015 2:12:13 PM

Subject: [keycloak-user] Re: LDAP with Kerberos, login with different user

TBH I have not checked out 1.4 yet. But I will have a look at it as soon as

it's out.

It would solve my problem, i f 1.4 offers a way to create impersonated users

and login with username and password even if kerberos is enabled.

1.4 offers a way for an admin to impersonate another user without specifying the users password - this doesn't provide a mechanism to login with username/password

Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda@redhat.com>:

Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we

will have new "impersonation" feature, which allows admin to temporarily

login on behalf of any other user. Isn't this even better for your usecase?

Marek

On 23.7.2015 08:41, Michael Gerber wrote:

Hi, yes something like that would be great.

Because our application admins are no tech guys, so it would be nice to offer

an easy solution to them ;)

Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda@redhat.com> :

Maybe we can have special request parameter, which will be send from

application to login screen. The parameter will contain list of

authentication mechanisms, which you want to skip for this login. Something

like "skipAuthType=cookie,kerberos" . The list of skipped alternative

mechanisms will be saved in ClientSession, so authentication SPI can deal

with it.

Not sure if it makes sense to add support into adapter, but maybe something

basic (like we have for parameters "login_hint" or "kc_idp_hint" in

keycloak.js) can be added as well?

Marek

On 23.7.2015 08:26, Marek Posolda wrote:

Do you want that for normal users or just for admin users? Just trying to

understand the usecase. Because AFAIK the point of kerberos is, that you

login into the desktop and then you're automatically logged into integrated

web applications without need to deal with any login screens and

username/password. When user has just one keycloak account corresponding to

his kerberos ticket, then why he need to login as different user?

I can understand the usecase for admin, when you want to login as different

user for testing purpose etc. For this, isn't it possible in windows to do

something like "kdestroy" to be able to login without kerberos?

Marek

On 23.7.2015 07:44, Michael Gerber wrote:

Isn't it possible to create a cookie or add an url parameter after the

logout, so the user is not logged in automatically?

It's crucial for us to be able to log in as a different user, otherwise we

can not use kerberos at all :(

Michael

Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda@redhat.com> :

I don't think it's doable. Kerberos is kind of desktop login and logout from

the web application won't destroy the kerberos ticket - similarly like it

can't logout your laptop/desktop session. So when you visit the secured

application next time, you are automatically logged into Keycloak through

SPNEGO due to the Kerberos ticket.

Hence you need to remove kerberos ticket manually (For example "kdestroy"

works on Linux, but I guess you're using Windows + ActiveDirectory? ) and

then you will be able to see keycloak login screen and login as different

user.

Marek

On 22.7.2015 15:38, Michael Gerber wrote:

Hi all,

I use LDAP with Kerberos and would like to logout and login again with a

different user (no kerberos login, just keycloak username and password

dialog).

Is that possible?

cheers

Michael

_______________________________________________

keycloak-user mailing list keycloak-user@lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________

keycloak-user mailing list

keycloak-user@lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user