Silently try more then one login handler with UnsolicitedSSO

Douglas E. Engert deengert at anl.gov
Thu Apr 25 11:36:14 EDT 2013



On 4/25/2013 10:18 AM, Cantor, Scott wrote:
> On 4/25/13 11:13 AM, "Douglas E. Engert" <deengert at anl.gov> wrote:
>
>> Now the issue is how to get the Kerberos Login Handler to
>> silently try SPNEGO, and if it fails, fall back to our normal
>> login page.
>
> I don't know anything of how SPNEGO works, but perhaps one could implement
> the SPNEGO via Apache and mod_auth_kerb, and have a custom login handler
> that looked for REMOTE_USER and if not set operated like the existing
> UserPass handler.

I have a separate e-mail to the Kerberos Login Handler contact person
asking my question in more detail. The Kerberos Login Handler in effect
does the SPNEGO, but it looks like when the handler fails,
it put up final page (customUnauthorized parameter), and then quits
the login process. I am hoping to have it put up the normal login page
that will let the user select user/password or X509 certificates.

>
> I have been led to think that SPNEGO in general has no effective error
> handling behavior and that if it doesn't work for everything it basically
> becomes a problem, but if not, the above might work.

The Kerberos login handler has some test pages to see if thing are configured
for SPNEGO and has instructions on how to configure a number of
browsers, so there is some error handling.

In the situation we are looking at using this, the user will be on
a terminal server using the browser as we have set it up,
and having already authenticated to AD. Si they will have tickets,
and SPNEGO should work 99% of time. Its the 1% of the time,
I want cover with with a fall back to the normal login page.

>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the users mailing list