[keycloak-user] LDAP with Kerberos, login with different user

Stian Thorgersen stian at redhat.com
Thu Jul 23 03:51:15 EDT 2015 

How about when a user logs out from Keycloak we add a session cookie to not use Kerberos again automatically? Even better if there's a concept of a session-id with Kerberos we can add the session-id to the cookie and automatically login if the users Kerberos session is changed, but otherwise display username/password form.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Michael Gerber" <gerbermichi at me.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 8:35:30 AM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
> 
> Maybe we can have special request parameter, which will be send from
> application to login screen. The parameter will contain list of
> authentication mechanisms, which you want to skip for this login. Something
> like "skipAuthType=cookie,kerberos" . The list of skipped alternative
> mechanisms will be saved in ClientSession, so authentication SPI can deal
> with it.
> 
> Not sure if it makes sense to add support into adapter, but maybe something
> basic (like we have for parameters "login_hint" or "kc_idp_hint" in
> keycloak.js) can be added as well?
> 
> Marek
> 
> On 23.7.2015 08:26, Marek Posolda wrote:
> 
> 
> 
> Do you want that for normal users or just for admin users? Just trying to
> understand the usecase. Because AFAIK the point of kerberos is, that you
> login into the desktop and then you're automatically logged into integrated
> web applications without need to deal with any login screens and
> username/password. When user has just one keycloak account corresponding to
> his kerberos ticket, then why he need to login as different user?
> 
> I can understand the usecase for admin, when you want to login as different
> user for testing purpose etc. For this, isn't it possible in windows to do
> something like "kdestroy" to be able to login without kerberos?
> 
> Marek
> 
> On 23.7.2015 07:44, Michael Gerber wrote:
> 
> 
> 
> Isn't it possible to create a cookie or add an url parameter after the
> logout, so the user is not logged in automatically?
> 
> It's crucial for us to be able to log in as a different user, otherwise we
> can not use kerberos at all :(
> 
> Michael
> 
> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com> :
> 
> 
> 
> 
> I don't think it's doable. Kerberos is kind of desktop login and logout from
> the web application won't destroy the kerberos ticket - similarly like it
> can't logout your laptop/desktop session. So when you visit the secured
> application next time, you are automatically logged into Keycloak through
> SPNEGO due to the Kerberos ticket.
> 
> Hence you need to remove kerberos ticket manually (For example "kdestroy"
> works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
> then you will be able to see keycloak login screen and login as different
> user.
> 
> Marek
> 
> On 22.7.2015 15:38, Michael Gerber wrote:
> 
> 
> 
> Hi all,
> 
> I use LDAP with Kerberos and would like to logout and login again with a
> different user (no kerberos login, just keycloak username and password
> dialog).
> Is that possible?
> 
> cheers
> Michael
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list