Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-1727

LDAP with Kerberos, login with different user

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Out of Date
    • Affects Version/s: 1.4.0.Final
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      Yes, feel free to create JIRA with the link to this discussion.

      Marek

      On 28.7.2015 08:03, Michael Gerber wrote:
      Should I create a Jira issue for that task?
      Or will you anyway implement something in this direction?

      Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian@redhat.com>:

      ----- Original Message -----

      From: "Marek Posolda" <mposolda@redhat.com>
      To: "Raghu Prabhala" <prabhalar@yahoo.com>, "Bill Burke" <bburke@redhat.com>
      Cc: "Stian Thorgersen" <stian@redhat.com>, keycloak-user@lists.jboss.org
      Sent: Friday, 24 July, 2015 9:49:45 AM
      Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user

      Support for prompt=select_account will be cool. Another suggestion for
      adding query parameter for skip some mechanisms (like
      skipAuthMechanism=cookie,kerberos ) might be good too.

      That'll only make sense if we also add support to
      allow multiple accounts, which could be fairly easy on
      the server-side, but much harder to support in
      adapters.

      Not sure if we need to support both, but IMO it will be good to have
      solution not tightly coupled to Kerberos. I can imagine similar
      situation with other login mechanisms as well. For example with
      authenticating users by certificate, admin may also want to skip
      automatic login with the certificate from his browser and instead login
      with username/password form.

      Marek

      On 23.7.2015 17:43, Raghu Prabhala wrote:
      > The select account prompt wouldn't work for us as some of our applications
      > require that the user login only by entering userid/pw but your other
      > suggestion might work as long as we do the Kerberos authentication using
      > Id/ow
      >
      > Sent from my iPhone
      >
      >> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke@redhat.com> wrote:
      >>
      >> All this interaction is defined by the SAML and OIDC specifications.
      >> Logout redirects you back to the application and its up to the
      >> application what to do next. We could add a query param that if it is
      >> set, to not do kerberos. This could be in addition to the "login
      >> automatically" flag.
      >>
      >>
      >>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
      >>> Why can't we have two separate authentication mechanisms - one IWA, in
      >>> which case the user is logged in automatically and on logout he is taken
      >>> to a login page where a diff userid can be entered and two, a login page
      >>> that allows userid/password? That would address our use case.
      >>>
      >>>
      >>>
      >>> Sent from my iPhone
      >>>
      >>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda@redhat.com> wrote:
      >>>>
      >>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
      >>>> "login automatically" . If it's off, another confirmation screen for the
      >>>> user will be displayed?
      >>>>
      >>>> Marek
      >>>>
      >>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
      >>>>> "Is this you?"
      >>>>>
      >>>>> ----- Original Message -----
      >>>>>> From: "Bill Burke" <bburke@redhat.com>
      >>>>>> To: keycloak-user@lists.jboss.org
      >>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
      >>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
      >>>>>> user
      >>>>>>
      >>>>>> With the new flows, we could detect a kerberos login then ask if they
      >>>>>> want to login as that user or another.
      >>>>>>
      >>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
      >>>>>>> Do you want that for normal users or just for admin users? Just
      >>>>>>> trying
      >>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
      >>>>>>> that
      >>>>>>> you login into the desktop and then you're automatically logged into
      >>>>>>> integrated web applications without need to deal with any login
      >>>>>>> screens
      >>>>>>> and username/password. When user has just one keycloak account
      >>>>>>> corresponding to his kerberos ticket, then why he need to login as
      >>>>>>> different user?
      >>>>>>>
      >>>>>>> I can understand the usecase for admin, when you want to login as
      >>>>>>> different user for testing purpose etc. For this, isn't it possible
      >>>>>>> in
      >>>>>>> windows to do something like "kdestroy" to be able to login without
      >>>>>>> kerberos?
      >>>>>>>
      >>>>>>> Marek
      >>>>>>>
      >>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
      >>>>>>>> Isn't it possible to create a cookie or add an url parameter after
      >>>>>>>> the
      >>>>>>>> logout, so the user is not logged in automatically?
      >>>>>>>>
      >>>>>>>> It's crucial for us to be able to log in as a different user,
      >>>>>>>> otherwise we can not use kerberos at all
      >>>>>>>>
      >>>>>>>> Michael
      >>>>>>>>
      >>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
      >>>>>>>>> <mposolda@redhat.com>:
      >>>>>>>>>
      >>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
      >>>>>>>>> logout from the web application won't destroy the kerberos ticket -
      >>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
      >>>>>>>>> you visit the secured application next time, you are automatically
      >>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
      >>>>>>>>>
      >>>>>>>>> Hence you need to remove kerberos ticket manually (For example
      >>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
      >>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
      >>>>>>>>> screen and login as different user.
      >>>>>>>>>
      >>>>>>>>> Marek
      >>>>>>>>>
      >>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
      >>>>>>>>>> Hi all,
      >>>>>>>>>>
      >>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
      >>>>>>>>>> with a different user (no kerberos login, just keycloak username
      >>>>>>>>>> and
      >>>>>>>>>> password dialog).
      >>>>>>>>>> Is that possible?
      >>>>>>>>>>
      >>>>>>>>>> cheers
      >>>>>>>>>> Michael
      >>>>>>>>>>
      >>>>>>>>>>
      >>>>>>>>>> _______________________________________________
      >>>>>>>>>> keycloak-user mailing list
      >>>>>>>>>> keycloak-user@lists.jboss.org
      >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
      >>>>>>>
      >>>>>>> _______________________________________________
      >>>>>>> keycloak-user mailing list
      >>>>>>> keycloak-user@lists.jboss.org
      >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
      >>>>>> –
      >>>>>> Bill Burke
      >>>>>> JBoss, a division of Red Hat
      >>>>>> http://bill.burkecentral.com
      >>>>>> _______________________________________________
      >>>>>> keycloak-user mailing list
      >>>>>> keycloak-user@lists.jboss.org
      >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
      >>>>> _______________________________________________
      >>>>> keycloak-user mailing list
      >>>>> keycloak-user@lists.jboss.org
      >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
      >>>> _______________________________________________
      >>>> keycloak-user mailing list
      >>>> keycloak-user@lists.jboss.org
      >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
      >> –
      >> Bill Burke
      >> JBoss, a division of Red Hat
      >> http://bill.burkecentral.com

      _______________________________________________

      keycloak-user mailing list

      keycloak-user@lists.jboss.org

      https://lists.jboss.org/mailman/listinfo/keycloak-user

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              gerbermichi Michael Gerber (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: