[keycloak-user] Option to disable SPNEGO

Ryan Slominski ryans at jlab.org
Tue Mar 26 16:02:51 EDT 2019


With the "LDAP" User Storage Provider you can configure authentication with a Kerberos password, but disable SPENGO.  The admin web interface labels this "Allow Kerberos Authentication" (seems like a bad label).  However, with the "Kerberos" User Storage Provider there is no such option.  Is there a reason, or can this be added?

Going a step further, the option to request SPENGO be disabled via url parameter (regardless of LDAP vs Kerberos User Storage Provider) was discussed years ago (http://lists.jboss.org/pipermail/keycloak-dev/2015-October/005399.html) with no resolution.   Where are we with this?   Either the parameter approach or some sort of support for "Switch User" would be appreciated because it is very tricky to accommodate with the current API.  Currently I'm using a brokered identity provider which is a duplicate of the primary realm minus SPNEGO support.  Then client applications are coded with a "switch user" link that uses the idp_hint parameter to indicate the special su brokered realm be used.   Seems unnecessarily complex.    Maybe I'm missing something easier?


More information about the keycloak-user mailing list