[keycloak-user] kc_idp_hint for Kerberos

Marek Posolda mposolda at redhat.com
Tue Mar 14 15:40:40 EDT 2017


I see your concerns. ATM there is nothing available OOTB, but OIDC 
specification has some support for authentication levels, which we plan 
to add. Then you will be able to define in your application if you want 
"normal" level login (which can use Kerberos) or "admin" level login 
(which won't use kerberos).

Until that, you will need to subclass SpnegoAuthenticator and do 
something on your own.

Marek

On 14/03/17 13:52, Glenn Campbell wrote:
> Is there some mechanism similar to kc_idp_hint=login that will let me skip
> authentication via Kerberos ticket and let me log in via the Keycloak login
> page?
>
> My situation is that I have admin user accounts in my application but users
> don't log in to Windows with these accounts. So UserA logs in to Windows
> with his UserA account but sometimes needs to log in to my application as
> AdminX.
>
> I see that I can use impersonation from the Keycloak admin console to
> impersonate AdminX and then open a browser tab and go to my application and
> I'll be logged in to my application as AdminX. But this strategy is a
> little inconvenient for users to use on a daily basis. Not horrible by any
> means but I'm sure I'll get some complaints. More importantly these users
> are admins in my application but they are not Keycloak admins and I'd
> rather not have them mucking around in the Keycloak admin console.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list