3:05 p.m.
Hello
Right now our keycloak server was setup to do kerberos authentication with ldap as backup,
so in this case, the user will get them in automatically
from the company domain when they hitting the URL, we have application role definitions in
the keycloak, if the user does not have the role configured
then we want to logout them back to the default key cloack login page and let them try
their LDAP user account.
But because kerberos authentication is always on the top, so right after we logout the
user, the kerberos will let them in automatically
right now we are using keycloak.logout from keycloak.js to logout user
I am wondering what is the good practice to achieve this?
Any suggestions are welcome
thanks
raymond
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 |
Canada www.moneris.com 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click
here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscr...;.
Please see the Moneris Privacy Policy
here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy...;.
This e-mail may be privileged and/or confidential, and the sender does not waive any
related rights and obligations. Any distribution, use or copying of this e-mail or the
information it contains by other than an intended recipient is unauthorized. If you
received this e-mail in error, please advise me (by return e-mail or otherwise)
immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 |
Canada www.moneris.com 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer
ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?...;.
Veuillez consulter la Politique de confidentialité de Moneris
ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy....;.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son
expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution,
l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient
par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce
courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou
autrement).
4:38 p.m.
You would need to create a custom authenticator that is like an account
chooser page, i.e. two buttons one says "login to kerberos" the other
says "login to ldap".
A custom flow would look like this:
* Cookie Authenticator
* create an ALTERNATIVE sub flow
* REQUIRED Account Chooser Custom authenticator page - if the
kerberos button is clicked, call AuthFlowContext.success() otherwise
AuthFLowContext.attempted(). Attempted will abort this alternative flow
* REQUIRED Built in Kerberos Authenticator
* create another ALTERNATIVE sub flow
* REQUIRED built in username/password authenticator
On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
Hello
Right now our keycloak server was setup to do kerberos authentication
with ldap as backup, so in this case, the user will get them in
automatically
from the company domain when they hitting the URL, we have application
role definitions in the keycloak, if the user does not have the role
configured
then we want to logout them back to the default key cloack login page
and let them try their LDAP user account.
But because kerberos authentication is always on the top, so right
after we logout the user, the kerberos will let them in automatically
right now we are using keycloak.logout from keycloak.js to logout user
I am wondering what is the good practice to achieve this?
Any suggestions are welcome
thanks
raymond
------------------------------------------------------------------------
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please
click here
<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;.
Please see the Moneris Privacy Policy here
<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;.
This e-mail may be privileged and/or confidential, and the sender does
not waive any related rights and obligations. Any distribution, use or
copying of this e-mail or the information it contains by other than an
intended recipient is unauthorized. If you received this e-mail in
error, please advise me (by return e-mail or otherwise) immediately.
------------------------------------------------------------------------
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
veuillez cliquer ici
<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;.
Veuillez consulter la Politique de confidentialité de Moneris ici
<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;.
Ce courriel peut contenir des renseignements confidentiels ou
privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune
obligation connexe. La distribution, l’utilisation ou la reproduction
du présent courriel ou des renseignements qu’il contient par une
personne autre que son destinataire prévu sont interdites. Si vous
avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement
(par retour de courriel ou autrement).
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:33 p.m.
Hello
I've a similar case to this one, but instead of using an account page I use
the ssl client certificate passed by Apache. I set up everything as the
example you provided, but even if in my "Account Chooser Custom
authenticator" I call AuthFlowContext.success() it is still showing me the
username/password form from the next alternative flow.
I worked around it creating a class called
AlternativeUsernamePasswordFormFactory
that extends UsernamePasswordFormFactory, and the only change that I did to
it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to
the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative
in Keycloak, it does what I want.
So my questions are: am I missing something to mark my Authenticator as
sufficient to end the flow and return to the client? if not, is there a
reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE
option, and can it be added to this class?
I'm posting this again os this thread as Ray may face the same issue soon...
Cheers
filipe
On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <bburke(a)redhat.com> wrote:
You would need to create a custom authenticator that is like an
account
chooser page, i.e. two buttons one says "login to kerberos" the other says
"login to ldap".
A custom flow would look like this:
* Cookie Authenticator
* create an ALTERNATIVE sub flow
* REQUIRED Account Chooser Custom authenticator page - if the kerberos
button is clicked, call AuthFlowContext.success() otherwise
AuthFLowContext.attempted(). Attempted will abort this alternative flow
* REQUIRED Built in Kerberos Authenticator
* create another ALTERNATIVE sub flow
* REQUIRED built in username/password authenticator
On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
Hello
Right now our keycloak server was setup to do kerberos authentication with
ldap as backup, so in this case, the user will get them in automatically
from the company domain when they hitting the URL, we have application
role definitions in the keycloak, if the user does not have the role
configured
then we want to logout them back to the default key cloack login page and
let them try their LDAP user account.
But because kerberos authentication is always on the top, so right after
we logout the user, the kerberos will let them in automatically
right now we are using keycloak.logout from keycloak.js to logout user
I am wondering what is the good practice to achieve this?
Any suggestions are welcome
thanks
raymond
------------------------------
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario
| M8X 2X2 | Canada www.moneris.com 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click
here
<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;.
Please see the Moneris Privacy Policy here
<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;.
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. If you received this e-mail in error, please
advise me (by return e-mail or otherwise) immediately.
------------------------------
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario
| M8X 2X2 | Canada www.moneris.com 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez
cliquer ici
<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;.
Veuillez consulter la Politique de confidentialité de Moneris ici
<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés,
et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe.
La distribution, l’utilisation ou la reproduction du présent courriel ou
des renseignements qu’il contient par une personne autre que son
destinataire prévu sont interdites. Si vous avez reçu ce courriel par
erreur, veuillez m’en aviser immédiatement (par retour de courriel ou
autrement).
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
filipe lautert
2:10 p.m.
Filipe, wouldn't you just have your Client Cert Authenticator be
alternative and just use the "Forms" sub-flow structure that exists in
the built in "Browser" flow?
On 8/18/16 2:33 PM, Filipe Lautert wrote:
Hello
I've a similar case to this one, but instead of using an account page
I use the ssl client certificate passed by Apache. I set up everything
as the example you provided, but even if in my "Account Chooser Custom
authenticator" I call AuthFlowContext.success() it is still showing me
the username/password form from the next alternative flow.
I worked around it creating a class called
AlternativeUsernamePasswordFormFactory that
extends UsernamePasswordFormFactory, and the only change that I did to
it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE
to the REQUIREMENT_CHOICES . Now, if I set this new auth type as
alternative in Keycloak, it does what I want.
So my questions are: am I missing something to mark my Authenticator
as sufficient to end the flow and return to the client? if not, is
there a reason why UsernamePasswordFormFactory doesn't provide the
ALTERNATIVE option, and can it be added to this class?
I'm posting this again os this thread as Ray may face the same issue
soon...
Cheers
filipe
On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
You would need to create a custom authenticator that is like an
account chooser page, i.e. two buttons one says "login to
kerberos" the other says "login to ldap".
A custom flow would look like this:
* Cookie Authenticator
* create an ALTERNATIVE sub flow
* REQUIRED Account Chooser Custom authenticator page - if the
kerberos button is clicked, call AuthFlowContext.success()
otherwise AuthFLowContext.attempted(). Attempted will abort this
alternative flow
* REQUIRED Built in Kerberos Authenticator
* create another ALTERNATIVE sub flow
* REQUIRED built in username/password authenticator
On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
>
> Hello
>
> Right now our keycloak server was setup to do kerberos
> authentication with ldap as backup, so in this case, the user
> will get them in automatically
>
> from the company domain when they hitting the URL, we have
> application role definitions in the keycloak, if the user does
> not have the role configured
>
> then we want to logout them back to the default key cloack login
> page and let them try their LDAP user account.
>
> But because kerberos authentication is always on the top, so
> right after we logout the user, the kerberos will let them in
> automatically
>
> right now we are using keycloak.logout from keycloak.js to logout
> user
>
> I am wondering what is the good practice to achieve this?
>
> Any suggestions are welcome
>
> thanks
>
> raymond
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto
> | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
>
<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;.
>
>
> This e-mail may be privileged and/or confidential, and the sender
> does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. If
> you received this e-mail in error, please advise me (by return
> e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
>
<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;.
> Veuillez consulter la Politique de confidentialité de Moneris ici
>
<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou la
> reproduction du présent courriel ou des renseignements qu’il
> contient par une personne autre que son destinataire prévu sont
> interdites. Si vous avez reçu ce courriel par erreur, veuillez
> m’en aviser immédiatement (par retour de courriel ou autrement).
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
filipe lautert
3:31 p.m.
Hello Bill
it worked, but slightly different from you suggestion - thanks for the
help! For some reason when I put my authenticator inside a flow it was not
working as alternative, but outside of it worked. So my flow had to be
changed as below:
* Cookie Authenticator
* create an ALTERNATIVE sub flow
* REQUIRED Add Execution (outisde of flow) as ALTERNATIVE Account
Chooser Custom authenticator page - success call AuthFlowContext.success()
otherwise AuthFLowContext.attempted().
* create ALTERNATIVE sub flow (Forms)
* REQUIRED built in username/password authenticator
Cheers
filipe
On Thu, Aug 18, 2016 at 4:10 PM Bill Burke <bburke(a)redhat.com> wrote:
Filipe, wouldn't you just have your Client Cert Authenticator be
alternative and just use the "Forms" sub-flow structure that exists in the
built in "Browser" flow?
On 8/18/16 2:33 PM, Filipe Lautert wrote:
Hello
I've a similar case to this one, but instead of using an account page I
use the ssl client certificate passed by Apache. I set up everything as the
example you provided, but even if in my "Account Chooser Custom
authenticator" I call AuthFlowContext.success() it is still showing me
the username/password form from the next alternative flow.
I worked around it creating a class called AlternativeUsernamePasswordFormFactory
that extends UsernamePasswordFormFactory, and the only change that I did to
it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to
the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative
in Keycloak, it does what I want.
So my questions are: am I missing something to mark my Authenticator as
sufficient to end the flow and return to the client? if not, is there a
reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE
option, and can it be added to this class?
I'm posting this again os this thread as Ray may face the same issue
soon...
Cheers
filipe
On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <bburke(a)redhat.com> wrote:
> You would need to create a custom authenticator that is like an account
> chooser page, i.e. two buttons one says "login to kerberos" the other says
> "login to ldap".
>
> A custom flow would look like this:
>
> * Cookie Authenticator
> * create an ALTERNATIVE sub flow
>
> * REQUIRED Account Chooser Custom authenticator page - if the kerberos
> button is clicked, call AuthFlowContext.success() otherwise
> AuthFLowContext.attempted(). Attempted will abort this alternative flow
> * REQUIRED Built in Kerberos Authenticator
>
> * create another ALTERNATIVE sub flow
> * REQUIRED built in username/password authenticator
>
>
> On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
>
> Hello
>
>
>
> Right now our keycloak server was setup to do kerberos authentication
> with ldap as backup, so in this case, the user will get them in
> automatically
>
> from the company domain when they hitting the URL, we have application
> role definitions in the keycloak, if the user does not have the role
> configured
>
> then we want to logout them back to the default key cloack login page and
> let them try their LDAP user account.
>
>
>
> But because kerberos authentication is always on the top, so right after
> we logout the user, the kerberos will let them in automatically
>
>
>
> right now we are using keycloak.logout from keycloak.js to logout user
>
>
>
> I am wondering what is the good practice to achieve this?
>
>
>
> Any suggestions are welcome
>
>
>
> thanks
>
> raymond
> ------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please click
> here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;.
>
>
> This e-mail may be privileged and/or confidential, and the sender does
> not waive any related rights and obligations. Any distribution, use or
> copying of this e-mail or the information it contains by other than an
> intended recipient is unauthorized. If you received this e-mail in error,
> please advise me (by return e-mail or otherwise) immediately.
> ------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario
> | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
>
<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;.
> Veuillez consulter la Politique de confidentialité de Moneris ici
>
<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune
> obligation connexe. La distribution, l’utilisation ou la reproduction du
> présent courriel ou des renseignements qu’il contient par une personne
> autre que son destinataire prévu sont interdites. Si vous avez reçu ce
> courriel par erreur, veuillez m’en aviser immédiatement (par retour de
> courriel ou autrement).
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
filipe lautert
--
filipe lautert
3066
days inactive
3067
days old
4 comments
3 participants
participants (3)
-
Bill Burke -
Filipe Lautert -
Zhou, Limin (Ray)