[keycloak-user] disable kerberos SSO when needed

Bill Burke bburke at redhat.com
Thu Aug 18 15:10:13 EDT 2016 

Filipe, wouldn't you just have your Client Cert Authenticator be 
alternative and just use the "Forms" sub-flow structure that exists in 
the built in "Browser" flow?


On 8/18/16 2:33 PM, Filipe Lautert wrote:
> Hello
>
> I've a similar case to this one, but instead of using an account page 
> I use the ssl client certificate passed by Apache. I set up everything 
> as the example you provided, but even if in my "Account Chooser Custom 
> authenticator" I call AuthFlowContext.success() it is still showing me 
> the username/password form from the next alternative flow.
>
> I worked around it creating a class called 
> AlternativeUsernamePasswordFormFactory that 
> extends UsernamePasswordFormFactory, and the only change that I did to 
> it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE 
> to the REQUIREMENT_CHOICES . Now, if I set this new auth type as 
> alternative in Keycloak, it does what I want.
>
> So my questions are: am I missing something to mark my Authenticator 
> as sufficient to end the flow and return to the client? if not, is 
> there a reason why UsernamePasswordFormFactory doesn't provide the 
> ALTERNATIVE option, and can it be added to this class?
>
> I'm posting this again os this thread as Ray may face the same issue 
> soon...
>
> Cheers
>
> filipe
>
> On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     You would need to create a custom authenticator that is like an
>     account chooser page, i.e. two buttons one says "login to
>     kerberos" the other says "login to ldap".
>
>     A custom flow would look like this:
>
>     * Cookie Authenticator
>
>     * create an ALTERNATIVE sub flow
>
>        * REQUIRED Account Chooser Custom authenticator page - if the
>     kerberos button is clicked, call AuthFlowContext.success()
>     otherwise AuthFLowContext.attempted().  Attempted will abort this
>     alternative flow
>
>        * REQUIRED Built in Kerberos Authenticator
>
>     * create another ALTERNATIVE sub flow
>
>        * REQUIRED built in username/password authenticator
>
>
>     On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:
>>
>>     Hello
>>
>>     Right now our keycloak server was setup to do kerberos
>>     authentication with ldap as backup, so in this case, the user
>>     will get them in automatically
>>
>>     from the company domain when they hitting the URL, we have
>>     application role definitions in the keycloak, if the user does
>>     not have the role configured
>>
>>     then we want to logout them back to the default key cloack login
>>     page and let them try their LDAP user account.
>>
>>     But because kerberos authentication is always on the top, so
>>     right after we logout the user, the kerberos will let them in
>>     automatically
>>
>>     right now we are using keycloak.logout from keycloak.js to logout
>>     user
>>
>>     I am wondering what is the good practice to achieve this?
>>
>>     Any suggestions are welcome
>>
>>     thanks
>>
>>     raymond
>>
>>     ------------------------------------------------------------------------
>>     Moneris Solutions Corporation | 3300 Bloor Street West | Toronto
>>     | Ontario | M8X 2X2 | Canada www.moneris.com
>>     <http://www.moneris.com> 1-866-319-7450
>>     If you wish to unsubscribe from future updates from Moneris,
>>     please click here
>>     <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>>     Please see the Moneris Privacy Policy here
>>     <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>>
>>
>>     This e-mail may be privileged and/or confidential, and the sender
>>     does not waive any related rights and obligations. Any
>>     distribution, use or copying of this e-mail or the information it
>>     contains by other than an intended recipient is unauthorized. If
>>     you received this e-mail in error, please advise me (by return
>>     e-mail or otherwise) immediately.
>>     ------------------------------------------------------------------------
>>     Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
>>     Ontario | M8X 2X2 | Canada www.moneris.com
>>     <http://www.moneris.com> 1-866-319-7450
>>     Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
>>     veuillez cliquer ici
>>     <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>>     Veuillez consulter la Politique de confidentialité de Moneris ici
>>     <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>>
>>
>>     Ce courriel peut contenir des renseignements confidentiels ou
>>     privilégiés, et son expéditeur ne renonce à aucun droit ni à
>>     aucune obligation connexe. La distribution, l’utilisation ou la
>>     reproduction du présent courriel ou des renseignements qu’il
>>     contient par une personne autre que son destinataire prévu sont
>>     interdites. Si vous avez reçu ce courriel par erreur, veuillez
>>     m’en aviser immédiatement (par retour de courriel ou autrement).
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> -- 
> filipe lautert

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/a81ec11b/attachment.html

More information about the keycloak-user mailing list