[keycloak-user] kc_idp_hint for Kerberos

Glenn Campbell campbellg at teds.com
Wed Mar 15 15:44:42 EDT 2017


Thank you for the info. I'm looking forward to the release that has the
authentication levels. It sounds like it might be helpful for one of my
other needs. In my app I have a "super sensitive" section where the user is
required to re-authenticate every time they access it.

In the meantime I may look into setting up identity brokering to ADFS and
have the Kerberos authentication happen there instead of directly in
Keycloak. I haven't yet thought through all of the ramifications but at
least I should have the ability to use kc_idp_hint=login to get a Keycloak
login page where I can log in as my admin user.

Thanks again for your help.

On Tue, Mar 14, 2017 at 3:40 PM, Marek Posolda <mposolda at redhat.com> wrote:

> I see your concerns. ATM there is nothing available OOTB, but OIDC
> specification has some support for authentication levels, which we plan to
> add. Then you will be able to define in your application if you want
> "normal" level login (which can use Kerberos) or "admin" level login (which
> won't use kerberos).
>
> Until that, you will need to subclass SpnegoAuthenticator and do something
> on your own.
>
> Marek
>
>
> On 14/03/17 13:52, Glenn Campbell wrote:
>
>> Is there some mechanism similar to kc_idp_hint=login that will let me skip
>> authentication via Kerberos ticket and let me log in via the Keycloak
>> login
>> page?
>>
>> My situation is that I have admin user accounts in my application but
>> users
>> don't log in to Windows with these accounts. So UserA logs in to Windows
>> with his UserA account but sometimes needs to log in to my application as
>> AdminX.
>>
>> I see that I can use impersonation from the Keycloak admin console to
>> impersonate AdminX and then open a browser tab and go to my application
>> and
>> I'll be logged in to my application as AdminX. But this strategy is a
>> little inconvenient for users to use on a daily basis. Not horrible by any
>> means but I'm sure I'll get some complaints. More importantly these users
>> are admins in my application but they are not Keycloak admins and I'd
>> rather not have them mucking around in the Keycloak admin console.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>


More information about the keycloak-user mailing list