[keycloak-user] disable kerberos SSO when needed

Bill Burke bburke at redhat.com
Wed Aug 17 17:38:13 EDT 2016


You would need to create a custom authenticator that is like an account 
chooser page, i.e. two buttons one says "login to kerberos" the other 
says "login to ldap".

A custom flow would look like this:

* Cookie Authenticator

* create an ALTERNATIVE sub flow

    * REQUIRED Account Chooser Custom authenticator page - if the 
kerberos button is clicked, call AuthFlowContext.success() otherwise 
AuthFLowContext.attempted().  Attempted will abort this alternative flow

    * REQUIRED Built in Kerberos Authenticator

* create another ALTERNATIVE sub flow

    * REQUIRED built in username/password authenticator

On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
>
> Hello
>
> Right now our keycloak server was setup to do kerberos authentication 
> with ldap as backup, so in this case, the user will get them in 
> automatically
>
> from the company domain when they hitting the URL, we have application 
> role definitions in the keycloak, if the user does not have the role 
> configured
>
> then we want to logout them back to the default key cloack login page 
> and let them try their LDAP user account.
>
> But because kerberos authentication is always on the top, so right 
> after we logout the user, the kerberos will let them in automatically
>
> right now we are using keycloak.logout from keycloak.js to logout user
>
> I am wondering what is the good practice to achieve this?
>
> Any suggestions are welcome
>
> thanks
>
> raymond
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please 
> click here 
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. 
> Please see the Moneris Privacy Policy here 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
> This e-mail may be privileged and/or confidential, and the sender does 
> not waive any related rights and obligations. Any distribution, use or 
> copying of this e-mail or the information it contains by other than an 
> intended recipient is unauthorized. If you received this e-mail in 
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris, 
> veuillez cliquer ici 
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. 
> Veuillez consulter la Politique de confidentialité de Moneris ici 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>. 
>
>
> Ce courriel peut contenir des renseignements confidentiels ou 
> privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune 
> obligation connexe. La distribution, l’utilisation ou la reproduction 
> du présent courriel ou des renseignements qu’il contient par une 
> personne autre que son destinataire prévu sont interdites. Si vous 
> avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement 
> (par retour de courriel ou autrement).
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/58ad3291/attachment.html 


More information about the keycloak-user mailing list