Skip kerberos sso authentication in keycloak

In certain cases we need to skip automatic login through Kerberos.
According to the documentation this should be done through the parameter ?prompt=login:

prompt - Keycloak supports these settings:

  • login - SSO will be ignored and the Keycloak login page will be always shown, even if the user is already authenticated

This works in most cases (we also use a NTLM waffle implementation) but with Kerberos the user is always signed in automatically.

Any hint or idea why?
Are there alternative ways to force forwarding to the login page?

The reason I need to skip the Kerberos authentication is because I need to login with an admin-account where I have to enter username+password.

Additional information, we are using Keycloak.x version 14.0.0.


Maybe this could be a workaround: Create a new auth flow without cookie, without kerberos, just user+pw fields. Then create a new client, configure the client to use the new flow as browser flow (section “override…”). Then use the new client at your application when a an admin login is desired.


1 Like

Thank you for this workaround, I just created a feature-request with a possible solution on the code side.

Might be able to override the default SpnegoAuthenticator with a custom one containing the login parameter handling. I patched and tested it in a kerberos environment and it worked.

skip kerberos SSO authentication to use login-form