Hello Pablo,
If you are using a saml adapter you can set forceAuthentication="true" in
your Service Provider configuration [1]:
"SAML clients can request that a user is re-authenticated even if they are
already logged in at the IdP."
Hope it helps,
Luis
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
El lun., 29 oct. 2018 a las 16:07, Pablo Bravo (<Pablo.Bravo(a)osudio.com>)
escribió:
Hi all,
We are currently implementing keycloak and we are facing an issue that we
are not sure what's the best way to solve it.
We have different webapps making use of the sso and that's working fine.
The problem we have is when we make log in using the sso in one webapp and
then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it's
not necessary to be logged in to make use of it). When clicking on "login",
it automatically logs in the user (by making a redirection to keycloak and
automatically logging the already logged user in the other webapp). This
second logging happens "transparently" to the user, since the redirection
to keycloak is very fast and it's not noticeable. This behaviour is not
very user friendly.
The question is: Taking into account that this second webapp can't know
upfront which user is accessing the site (unless actively redirecting to
keycloak), is it possible to force always the users to log in for a
specific keycloak client? By this I mean actually ask the visitor for
user/pw even if keycloak knows already them from other keycloak clients.
What's the best practice for this use case?
Thanks in advance!
Pablo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett