[keycloak-user] LDAP with Kerberos, login with different user
Bill Burke
bburke at redhat.com
Thu Jul 23 11:31:32 EDT 2015
OpenID Connect has prompt=select_account query param. If this is sent,
we could automatically display the "Is this you?" page for kerberos.
On 7/23/2015 11:28 AM, Bill Burke wrote:
> All this interaction is defined by the SAML and OIDC specifications.
> Logout redirects you back to the application and its up to the
> application what to do next. We could add a query param that if it is
> set, to not do kerberos. This could be in addition to the "login
> automatically" flag.
>
>
> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>> Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.
>>
>>
>>
>> Sent from my iPhone
>>
>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>> "login automatically" . If it's off, another confirmation screen for the
>>> user will be displayed?
>>>
>>> Marek
>>>
>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>> "Is this you?"
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: keycloak-user at lists.jboss.org
>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>>>>
>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>> want to login as that user or another.
>>>>>
>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>> Do you want that for normal users or just for admin users? Just trying
>>>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>>>> you login into the desktop and then you're automatically logged into
>>>>>> integrated web applications without need to deal with any login screens
>>>>>> and username/password. When user has just one keycloak account
>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>> different user?
>>>>>>
>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>> different user for testing purpose etc. For this, isn't it possible in
>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>> kerberos?
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>>>> logout, so the user is not logged in automatically?
>>>>>>>
>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>>
>>>>>>> Michael
>>>>>>>
>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>>>>
>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>>
>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>> screen and login as different user.
>>>>>>>>
>>>>>>>> Marek
>>>>>>>>
>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>>>> password dialog).
>>>>>>>>> Is that possible?
>>>>>>>>>
>>>>>>>>> cheers
>>>>>>>>> Michael
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list