[keycloak-user] kc_idp_hint for Kerberos

Marek Posolda mposolda at redhat.com
Thu Mar 16 03:23:47 EDT 2017 

On 15/03/17 20:44, Glenn Campbell wrote:
> Thank you for the info. I'm looking forward to the release that has 
> the authentication levels. It sounds like it might be helpful for one 
> of my other needs. In my app I have a "super sensitive" section where 
> the user is required to re-authenticate every time they access it.
Yes, that's another kind of use-case for it.
>
> In the meantime I may look into setting up identity brokering to ADFS 
> and have the Kerberos authentication happen there instead of directly 
> in Keycloak. I haven't yet thought through all of the ramifications 
> but at least I should have the ability to use kc_idp_hint=login to get 
> a Keycloak login page where I can log in as my admin user.
Yep. You can also another Keycloak instance (or just different realm) 
and broker with it. Brokering Keycloak against Keycloak works fine.

Btv. I would personally rather go with subclassing SpnegoAuthenticator, 
but it all depends on your Authentication SPI knowledge, preferences, 
deployment requirements etc... For example you can attach the parameter 
"scope=admin_login" when you invoke secured URL of your application. 
Keycloak will then re-send the scope parameter and in the authenticator 
you can retrieve it via: 
clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM);

Then you can decide whether skip this authenticator and just call 
authenticationContext.attempted() or whether try it and just call super. 
We also have some example authentication SPI providers in the directory 
"providers" of keycloak-examples distribution.

Marek
>
> Thanks again for your help.
>
> On Tue, Mar 14, 2017 at 3:40 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I see your concerns. ATM there is nothing available OOTB, but OIDC
>     specification has some support for authentication levels, which we
>     plan to add. Then you will be able to define in your application
>     if you want "normal" level login (which can use Kerberos) or
>     "admin" level login (which won't use kerberos).
>
>     Until that, you will need to subclass SpnegoAuthenticator and do
>     something on your own.
>
>     Marek
>
>
>     On 14/03/17 13:52, Glenn Campbell wrote:
>
>         Is there some mechanism similar to kc_idp_hint=login that will
>         let me skip
>         authentication via Kerberos ticket and let me log in via the
>         Keycloak login
>         page?
>
>         My situation is that I have admin user accounts in my
>         application but users
>         don't log in to Windows with these accounts. So UserA logs in
>         to Windows
>         with his UserA account but sometimes needs to log in to my
>         application as
>         AdminX.
>
>         I see that I can use impersonation from the Keycloak admin
>         console to
>         impersonate AdminX and then open a browser tab and go to my
>         application and
>         I'll be logged in to my application as AdminX. But this
>         strategy is a
>         little inconvenient for users to use on a daily basis. Not
>         horrible by any
>         means but I'm sure I'll get some complaints. More importantly
>         these users
>         are admins in my application but they are not Keycloak admins
>         and I'd
>         rather not have them mucking around in the Keycloak admin console.
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>

More information about the keycloak-user mailing list