TBH I have not checked out 1.4 yet. But I will have a look at it as soon as it's out.
It would solve my problem, if 1.4 offers a way to create impersonated users and login with
username and password even if kerberos is enabled.
Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda(a)redhat.com>:
Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we will have
new "impersonation" feature, which allows admin to temporarily login on behalf
of any other user. Isn't this even better for your usecase?
Marek
On 23.7.2015 08:41, Michael Gerber wrote:
Hi, yes something like that would be great.
Because our application admins are no tech guys, so it would be nice to offer an easy
solution to them ;)
Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda(a)redhat.com>:
Maybe we can have special request parameter, which will be send from application to login
screen. The parameter will contain list of authentication mechanisms, which you want to
skip for this login. Something like "skipAuthType=cookie,kerberos" . The list of
skipped alternative mechanisms will be saved in ClientSession, so authentication SPI can
deal with it.
Not sure if it makes sense to add support into adapter, but maybe something basic (like we
have for parameters "login_hint" or "kc_idp_hint" in keycloak.js) can
be added as well?
Marek
On 23.7.2015 08:26, Marek Posolda wrote:
Do you want that for normal users or just for admin users? Just trying to understand the
usecase. Because AFAIK the point of kerberos is, that you login into the desktop and then
you're automatically logged into integrated web applications without need to deal with
any login screens and username/password. When user has just one keycloak account
corresponding to his kerberos ticket, then why he need to login as different user?
I can understand the usecase for admin, when you want to login as different user for
testing purpose etc. For this, isn't it possible in windows to do something like
"kdestroy" to be able to login without kerberos?
Marek
On 23.7.2015 07:44, Michael Gerber wrote:
Isn't it possible to create a cookie or add an url parameter after the logout, so the
user is not logged in automatically?
It's crucial for us to be able to log in as a different user, otherwise we can not use
kerberos at all :(
Michael
Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda(a)redhat.com>:
I don't think it's doable. Kerberos is kind of desktop login and logout from the
web application won't destroy the kerberos ticket - similarly like it can't logout
your laptop/desktop session. So when you visit the secured application next time, you are
automatically logged into Keycloak through SPNEGO due to the Kerberos ticket.
Hence you need to remove kerberos ticket manually (For example "kdestroy" works
on Linux, but I guess you're using Windows + ActiveDirectory? ) and then you will be
able to see keycloak login screen and login as different user.
Marek
On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,
I use LDAP with Kerberos and would like to logout and login again with a different user
(no kerberos login, just keycloak username and password dialog).
Is that possible?
cheers
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user