[keycloak-user] LDAP with Kerberos, login with different user

Marek Posolda mposolda at redhat.com
Mon Aug 3 05:27:18 EDT 2015


Yes, feel free to create JIRA with the link to this discussion.

Marek

On 28.7.2015 08:03, Michael Gerber wrote:
> Should I create a Jira issue for that task?
> Or will you anyway implement something in this direction?
>
> Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian at redhat.com>:
>
>>
>>
>> ----- Original Message -----
>>> From: "Marek Posolda" <mposolda at redhat.com <mailto:mposolda at redhat.com>>
>>> To: "Raghu Prabhala" <prabhalar at yahoo.com 
>>> <mailto:prabhalar at yahoo.com>>, "Bill Burke" <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>>
>>> Cc: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>, 
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> Sent: Friday, 24 July, 2015 9:49:45 AM
>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with 
>>> different user
>>>
>>> Support for prompt=select_account will be cool. Another suggestion for
>>> adding query parameter for skip some mechanisms (like
>>> skipAuthMechanism=cookie,kerberos ) might be good too.
>>
>> That'll only make sense if we also add support to allow multiple 
>> accounts, which could be fairly easy on the server-side, but much 
>> harder to support in adapters.
>>
>>>
>>> Not sure if we need to support both, but IMO it will be good to have
>>> solution not tightly coupled to Kerberos. I can imagine similar
>>> situation with other login mechanisms as well. For example with
>>> authenticating users by certificate, admin may also want to skip
>>> automatic login with the certificate from his browser and instead login
>>> with username/password form.
>>>
>>> Marek
>>>
>>> On 23.7.2015 17:43, Raghu Prabhala wrote:
>>> > The select account prompt wouldn't work for us as some of our 
>>> applications
>>> > require that the user login only by entering userid/pw but your other
>>> > suggestion might work as long as we do the Kerberos authentication 
>>> using
>>> > Id/ow
>>> >
>>> > Sent from my iPhone
>>> >
>>> >> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke at redhat.com 
>>> <mailto:bburke at redhat.com>> wrote:
>>> >>
>>> >> All this interaction is defined by the SAML and OIDC specifications.
>>> >> Logout redirects you back to the application and its up to the
>>> >> application what to do next. We could add a query param that if it is
>>> >> set, to not do kerberos. This could be in addition to the "login
>>> >> automatically" flag.
>>> >>
>>> >>
>>> >>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>>> >>> Why can't we have two separate authentication mechanisms - one 
>>> IWA, in
>>> >>> which case the user is logged in automatically and on logout he 
>>> is taken
>>> >>> to a login page where a diff userid can be entered and two, a 
>>> login page
>>> >>> that allows userid/password? That would address our use case.
>>> >>>
>>> >>>
>>> >>>
>>> >>> Sent from my iPhone
>>> >>>
>>> >>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda 
>>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>> >>>>
>>> >>>> Maybe it can be configurable for the kerberos mechanism? Just 
>>> the flag
>>> >>>> "login automatically" . If it's off, another confirmation 
>>> screen for the
>>> >>>> user will be displayed?
>>> >>>>
>>> >>>> Marek
>>> >>>>
>>> >>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>> >>>>> "Is this you?"
>>> >>>>>
>>> >>>>> ----- Original Message -----
>>> >>>>>> From: "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>>
>>> >>>>>> To: keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> >>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>> >>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with 
>>> different
>>> >>>>>> user
>>> >>>>>>
>>> >>>>>> With the new flows, we could detect a kerberos login then ask 
>>> if they
>>> >>>>>> want to login as that user or another.
>>> >>>>>>
>>> >>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>> >>>>>>> Do you want that for normal users or just for admin users? Just
>>> >>>>>>> trying
>>> >>>>>>> to understand the usecase. Because AFAIK the point of 
>>> kerberos is,
>>> >>>>>>> that
>>> >>>>>>> you login into the desktop and then you're automatically 
>>> logged into
>>> >>>>>>> integrated web applications without need to deal with any login
>>> >>>>>>> screens
>>> >>>>>>> and username/password. When user has just one keycloak account
>>> >>>>>>> corresponding to his kerberos ticket, then why he need to 
>>> login as
>>> >>>>>>> different user?
>>> >>>>>>>
>>> >>>>>>> I can understand the usecase for admin, when you want to 
>>> login as
>>> >>>>>>> different user for testing purpose etc. For this, isn't it 
>>> possible
>>> >>>>>>> in
>>> >>>>>>> windows to do something like "kdestroy" to be able to login 
>>> without
>>> >>>>>>> kerberos?
>>> >>>>>>>
>>> >>>>>>> Marek
>>> >>>>>>>
>>> >>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>> >>>>>>>> Isn't it possible to create a cookie or add an url 
>>> parameter after
>>> >>>>>>>> the
>>> >>>>>>>> logout, so the user is not logged in automatically?
>>> >>>>>>>>
>>> >>>>>>>> It's crucial for us to be able to log in as a different user,
>>> >>>>>>>> otherwise we can not use kerberos at all :(
>>> >>>>>>>>
>>> >>>>>>>> Michael
>>> >>>>>>>>
>>> >>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
>>> >>>>>>>>> <mposolda at redhat.com <mailto:mposolda at redhat.com>>:
>>> >>>>>>>>>
>>> >>>>>>>>> I don't think it's doable. Kerberos is kind of desktop 
>>> login and
>>> >>>>>>>>> logout from the web application won't destroy the kerberos 
>>> ticket -
>>> >>>>>>>>> similarly like it can't logout your laptop/desktop 
>>> session. So when
>>> >>>>>>>>> you visit the secured application next time, you are 
>>> automatically
>>> >>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos 
>>> ticket.
>>> >>>>>>>>>
>>> >>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>> >>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>> >>>>>>>>> ActiveDirectory? ) and then you will be able to see 
>>> keycloak login
>>> >>>>>>>>> screen and login as different user.
>>> >>>>>>>>>
>>> >>>>>>>>> Marek
>>> >>>>>>>>>
>>> >>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>> >>>>>>>>>> Hi all,
>>> >>>>>>>>>>
>>> >>>>>>>>>> I use LDAP with Kerberos and would like to logout and 
>>> login again
>>> >>>>>>>>>> with a different user (no kerberos login, just keycloak 
>>> username
>>> >>>>>>>>>> and
>>> >>>>>>>>>> password dialog).
>>> >>>>>>>>>> Is that possible?
>>> >>>>>>>>>>
>>> >>>>>>>>>> cheers
>>> >>>>>>>>>> Michael
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> _______________________________________________
>>> >>>>>>>>>> keycloak-user mailing list
>>> >>>>>>>>>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>>>>
>>> >>>>>>> _______________________________________________
>>> >>>>>>> keycloak-user mailing list
>>> >>>>>>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>>> --
>>> >>>>>> Bill Burke
>>> >>>>>> JBoss, a division of Red Hat
>>> >>>>>> http://bill.burkecentral.com
>>> >>>>>> _______________________________________________
>>> >>>>>> keycloak-user mailing list
>>> >>>>>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>> _______________________________________________
>>> >>>>> keycloak-user mailing list
>>> >>>>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>> _______________________________________________
>>> >>>> keycloak-user mailing list
>>> >>>> keycloak-user at lists.jboss.org 
>>> <mailto:keycloak-user at lists.jboss.org>
>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >> --
>>> >> Bill Burke
>>> >> JBoss, a division of Red Hat
>>> >> http://bill.burkecentral.com
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150803/5291e049/attachment-0001.html 


More information about the keycloak-user mailing list