[keycloak-user] LDAP with Kerberos, login with different user

Bill Burke bburke at redhat.com
Thu Jul 23 10:02:53 EDT 2015


With the new flows, we could detect a kerberos login then ask if they 
want to login as that user or another.

On 7/23/2015 2:26 AM, Marek Posolda wrote:
> Do you want that for normal users or just for admin users? Just trying
> to understand the usecase. Because AFAIK the point of kerberos is, that
> you login into the desktop and then you're automatically logged into
> integrated web applications without need to deal with any login screens
> and username/password. When user has just one keycloak account
> corresponding to his kerberos ticket, then why he need to login as
> different user?
>
> I can understand the usecase for admin, when you want to login as
> different user for testing purpose etc. For this, isn't it possible in
> windows to do something like "kdestroy" to be able to login without
> kerberos?
>
> Marek
>
> On 23.7.2015 07:44, Michael Gerber wrote:
>> Isn't it possible to create a cookie or add an url parameter after the
>> logout, so the user is not logged in automatically?
>>
>> It's crucial for us to be able to log in as a different user,
>> otherwise we can not use kerberos at all :(
>>
>> Michael
>>
>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>
>>> I don't think it's doable. Kerberos is kind of desktop login and
>>> logout from the web application won't destroy the kerberos ticket -
>>> similarly like it can't logout your laptop/desktop session. So when
>>> you visit the secured application next time, you are automatically
>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>
>>> Hence you need to remove kerberos ticket manually (For example
>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>> screen and login as different user.
>>>
>>> Marek
>>>
>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>> Hi all,
>>>>
>>>> I use LDAP with Kerberos and would like to logout and login again
>>>> with a different user (no kerberos login, just keycloak username and
>>>> password dialog).
>>>> Is that possible?
>>>>
>>>> cheers
>>>> Michael
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list