Yes, feel free to create JIRA with the link to this discussion.
Marek
On 28.7.2015 08:03, Michael Gerber wrote:
Should I create a Jira issue for that task?
Or will you anyway implement something in this direction?
Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian(a)redhat.com>:
>
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>
>> To: "Raghu Prabhala" <prabhalar(a)yahoo.com
>> <mailto:prabhalar@yahoo.com>>, "Bill Burke"
<bburke(a)redhat.com
>> <mailto:bburke@redhat.com>>
>> Cc: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>,
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> Sent: Friday, 24 July, 2015 9:49:45 AM
>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with
>> different user
>>
>> Support for prompt=select_account will be cool. Another suggestion for
>> adding query parameter for skip some mechanisms (like
>> skipAuthMechanism=cookie,kerberos ) might be good too.
>
> That'll only make sense if we also add support to allow multiple
> accounts, which could be fairly easy on the server-side, but much
> harder to support in adapters.
>
>>
>> Not sure if we need to support both, but IMO it will be good to have
>> solution not tightly coupled to Kerberos. I can imagine similar
>> situation with other login mechanisms as well. For example with
>> authenticating users by certificate, admin may also want to skip
>> automatic login with the certificate from his browser and instead login
>> with username/password form.
>>
>> Marek
>>
>> On 23.7.2015 17:43, Raghu Prabhala wrote:
>> > The select account prompt wouldn't work for us as some of our
>> applications
>> > require that the user login only by entering userid/pw but your other
>> > suggestion might work as long as we do the Kerberos authentication
>> using
>> > Id/ow
>> >
>> > Sent from my iPhone
>> >
>> >> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>> >>
>> >> All this interaction is defined by the SAML and OIDC specifications.
>> >> Logout redirects you back to the application and its up to the
>> >> application what to do next. We could add a query param that if it is
>> >> set, to not do kerberos. This could be in addition to the "login
>> >> automatically" flag.
>> >>
>> >>
>> >>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>> >>> Why can't we have two separate authentication mechanisms - one
>> IWA, in
>> >>> which case the user is logged in automatically and on logout he
>> is taken
>> >>> to a login page where a diff userid can be entered and two, a
>> login page
>> >>> that allows userid/password? That would address our use case.
>> >>>
>> >>>
>> >>>
>> >>> Sent from my iPhone
>> >>>
>> >>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>> >>>>
>> >>>> Maybe it can be configurable for the kerberos mechanism? Just
>> the flag
>> >>>> "login automatically" . If it's off, another
confirmation
>> screen for the
>> >>>> user will be displayed?
>> >>>>
>> >>>> Marek
>> >>>>
>> >>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>> >>>>> "Is this you?"
>> >>>>>
>> >>>>> ----- Original Message -----
>> >>>>>> From: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
>> >>>>>> To: keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> >>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>> >>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login
with
>> different
>> >>>>>> user
>> >>>>>>
>> >>>>>> With the new flows, we could detect a kerberos login
then ask
>> if they
>> >>>>>> want to login as that user or another.
>> >>>>>>
>> >>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>> >>>>>>> Do you want that for normal users or just for admin
users? Just
>> >>>>>>> trying
>> >>>>>>> to understand the usecase. Because AFAIK the point
of
>> kerberos is,
>> >>>>>>> that
>> >>>>>>> you login into the desktop and then you're
automatically
>> logged into
>> >>>>>>> integrated web applications without need to deal
with any login
>> >>>>>>> screens
>> >>>>>>> and username/password. When user has just one
keycloak account
>> >>>>>>> corresponding to his kerberos ticket, then why he
need to
>> login as
>> >>>>>>> different user?
>> >>>>>>>
>> >>>>>>> I can understand the usecase for admin, when you
want to
>> login as
>> >>>>>>> different user for testing purpose etc. For this,
isn't it
>> possible
>> >>>>>>> in
>> >>>>>>> windows to do something like "kdestroy" to
be able to login
>> without
>> >>>>>>> kerberos?
>> >>>>>>>
>> >>>>>>> Marek
>> >>>>>>>
>> >>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>> >>>>>>>> Isn't it possible to create a cookie or add
an url
>> parameter after
>> >>>>>>>> the
>> >>>>>>>> logout, so the user is not logged in
automatically?
>> >>>>>>>>
>> >>>>>>>> It's crucial for us to be able to log in as
a different user,
>> >>>>>>>> otherwise we can not use kerberos at all :(
>> >>>>>>>>
>> >>>>>>>> Michael
>> >>>>>>>>
>> >>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek
Posolda
>> >>>>>>>>> <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>:
>> >>>>>>>>>
>> >>>>>>>>> I don't think it's doable. Kerberos
is kind of desktop
>> login and
>> >>>>>>>>> logout from the web application won't
destroy the kerberos
>> ticket -
>> >>>>>>>>> similarly like it can't logout your
laptop/desktop
>> session. So when
>> >>>>>>>>> you visit the secured application next time,
you are
>> automatically
>> >>>>>>>>> logged into Keycloak through SPNEGO due to
the Kerberos
>> ticket.
>> >>>>>>>>>
>> >>>>>>>>> Hence you need to remove kerberos ticket
manually (For example
>> >>>>>>>>> "kdestroy" works on Linux, but I
guess you're using Windows +
>> >>>>>>>>> ActiveDirectory? ) and then you will be able
to see
>> keycloak login
>> >>>>>>>>> screen and login as different user.
>> >>>>>>>>>
>> >>>>>>>>> Marek
>> >>>>>>>>>
>> >>>>>>>>>> On 22.7.2015 15:38, Michael Gerber
wrote:
>> >>>>>>>>>> Hi all,
>> >>>>>>>>>>
>> >>>>>>>>>> I use LDAP with Kerberos and would like
to logout and
>> login again
>> >>>>>>>>>> with a different user (no kerberos
login, just keycloak
>> username
>> >>>>>>>>>> and
>> >>>>>>>>>> password dialog).
>> >>>>>>>>>> Is that possible?
>> >>>>>>>>>>
>> >>>>>>>>>> cheers
>> >>>>>>>>>> Michael
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
_______________________________________________
>> >>>>>>>>>> keycloak-user mailing list
>> >>>>>>>>>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> >>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> keycloak-user mailing list
>> >>>>>>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> >>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>> --
>> >>>>>> Bill Burke
>> >>>>>> JBoss, a division of Red Hat
>> >>>>>>
http://bill.burkecentral.com
>> >>>>>> _______________________________________________
>> >>>>>> keycloak-user mailing list
>> >>>>>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> >>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>> _______________________________________________
>> >>>>> keycloak-user mailing list
>> >>>>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> >>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>> _______________________________________________
>> >>>> keycloak-user mailing list
>> >>>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> >>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> --
>> >> Bill Burke
>> >> JBoss, a division of Red Hat
>> >>
http://bill.burkecentral.com
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user