7:52 a.m.
Is there some mechanism similar to kc_idp_hint=login that will let me skip
authentication via Kerberos ticket and let me log in via the Keycloak login
page?
My situation is that I have admin user accounts in my application but users
don't log in to Windows with these accounts. So UserA logs in to Windows
with his UserA account but sometimes needs to log in to my application as
AdminX.
I see that I can use impersonation from the Keycloak admin console to
impersonate AdminX and then open a browser tab and go to my application and
I'll be logged in to my application as AdminX. But this strategy is a
little inconvenient for users to use on a daily basis. Not horrible by any
means but I'm sure I'll get some complaints. More importantly these users
are admins in my application but they are not Keycloak admins and I'd
rather not have them mucking around in the Keycloak admin console.
2:40 p.m.
I see your concerns. ATM there is nothing available OOTB, but OIDC
specification has some support for authentication levels, which we plan
to add. Then you will be able to define in your application if you want
"normal" level login (which can use Kerberos) or "admin" level login
(which won't use kerberos).
Until that, you will need to subclass SpnegoAuthenticator and do
something on your own.
Marek
On 14/03/17 13:52, Glenn Campbell wrote:
Is there some mechanism similar to kc_idp_hint=login that will let me
skip
authentication via Kerberos ticket and let me log in via the Keycloak login
page?
My situation is that I have admin user accounts in my application but users
don't log in to Windows with these accounts. So UserA logs in to Windows
with his UserA account but sometimes needs to log in to my application as
AdminX.
I see that I can use impersonation from the Keycloak admin console to
impersonate AdminX and then open a browser tab and go to my application and
I'll be logged in to my application as AdminX. But this strategy is a
little inconvenient for users to use on a daily basis. Not horrible by any
means but I'm sure I'll get some complaints. More importantly these users
are admins in my application but they are not Keycloak admins and I'd
rather not have them mucking around in the Keycloak admin console.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:44 p.m.
Thank you for the info. I'm looking forward to the release that has the
authentication levels. It sounds like it might be helpful for one of my
other needs. In my app I have a "super sensitive" section where the user is
required to re-authenticate every time they access it.
In the meantime I may look into setting up identity brokering to ADFS and
have the Kerberos authentication happen there instead of directly in
Keycloak. I haven't yet thought through all of the ramifications but at
least I should have the ability to use kc_idp_hint=login to get a Keycloak
login page where I can log in as my admin user.
Thanks again for your help.
On Tue, Mar 14, 2017 at 3:40 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
I see your concerns. ATM there is nothing available OOTB, but OIDC
specification has some support for authentication levels, which we plan to
add. Then you will be able to define in your application if you want
"normal" level login (which can use Kerberos) or "admin" level login
(which
won't use kerberos).
Until that, you will need to subclass SpnegoAuthenticator and do something
on your own.
Marek
On 14/03/17 13:52, Glenn Campbell wrote:
> Is there some mechanism similar to kc_idp_hint=login that will let me skip
> authentication via Kerberos ticket and let me log in via the Keycloak
> login
> page?
>
> My situation is that I have admin user accounts in my application but
> users
> don't log in to Windows with these accounts. So UserA logs in to Windows
> with his UserA account but sometimes needs to log in to my application as
> AdminX.
>
> I see that I can use impersonation from the Keycloak admin console to
> impersonate AdminX and then open a browser tab and go to my application
> and
> I'll be logged in to my application as AdminX. But this strategy is a
> little inconvenient for users to use on a daily basis. Not horrible by any
> means but I'm sure I'll get some complaints. More importantly these users
> are admins in my application but they are not Keycloak admins and I'd
> rather not have them mucking around in the Keycloak admin console.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2:23 a.m.
On 15/03/17 20:44, Glenn Campbell wrote:
Thank you for the info. I'm looking forward to the release that
has
the authentication levels. It sounds like it might be helpful for one
of my other needs. In my app I have a "super sensitive" section where
the user is required to re-authenticate every time they access it.
Yes, that's
another kind of use-case for it.
In the meantime I may look into setting up identity brokering to ADFS
and have the Kerberos authentication happen there instead of directly
in Keycloak. I haven't yet thought through all of the ramifications
but at least I should have the ability to use kc_idp_hint=login to get
a Keycloak login page where I can log in as my admin user.
Yep. You can also
another Keycloak instance (or just different realm)
and broker with it. Brokering Keycloak against Keycloak works fine.
Btv. I would personally rather go with subclassing SpnegoAuthenticator,
but it all depends on your Authentication SPI knowledge, preferences,
deployment requirements etc... For example you can attach the parameter
"scope=admin_login" when you invoke secured URL of your application.
Keycloak will then re-send the scope parameter and in the authenticator
you can retrieve it via:
clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM);
Then you can decide whether skip this authenticator and just call
authenticationContext.attempted() or whether try it and just call super.
We also have some example authentication SPI providers in the directory
"providers" of keycloak-examples distribution.
Marek
Thanks again for your help.
On Tue, Mar 14, 2017 at 3:40 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I see your concerns. ATM there is nothing available OOTB, but OIDC
specification has some support for authentication levels, which we
plan to add. Then you will be able to define in your application
if you want "normal" level login (which can use Kerberos) or
"admin" level login (which won't use kerberos).
Until that, you will need to subclass SpnegoAuthenticator and do
something on your own.
Marek
On 14/03/17 13:52, Glenn Campbell wrote:
Is there some mechanism similar to kc_idp_hint=login that will
let me skip
authentication via Kerberos ticket and let me log in via the
Keycloak login
page?
My situation is that I have admin user accounts in my
application but users
don't log in to Windows with these accounts. So UserA logs in
to Windows
with his UserA account but sometimes needs to log in to my
application as
AdminX.
I see that I can use impersonation from the Keycloak admin
console to
impersonate AdminX and then open a browser tab and go to my
application and
I'll be logged in to my application as AdminX. But this
strategy is a
little inconvenient for users to use on a daily basis. Not
horrible by any
means but I'm sure I'll get some complaints. More importantly
these users
are admins in my application but they are not Keycloak admins
and I'd
rather not have them mucking around in the Keycloak admin console.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
3308
days inactive
3310
days old
3 comments
2 participants
participants (2)
-
Glenn Campbell -
Marek Posolda