apache2/idp kerberos RemoteUserInternal with Password flow fallback

Raffael Sahli sahli at gyselroth.com
Wed May 13 05:54:12 EDT 2015


How can I configure the idp to allow both, RemoteUserInternal (apache2
krb5) and as fallback the Password Flow ?
If the browser sends valid kerberos credentials, apache2 should validate
it and the idp should execute the RemoteUserInternal flow.
If no kerberos ticket exists, the idp should execute the Password flow.

I got both working, but not both at the same time. The Password flow
fallback is not working.

<Location /idp/profile>
    AuthType Kerberos
    AuthName "SAML2 ECP"

    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthoritative Off
    KrbVerifyKDC On
    Krb5KeyTab /etc/apache2/http.keytab
   require valid-user

idp.authn.flows= RemoteUserInternal|Password 
idp.authn.flows.initial = RemoteUserInternal|Password

If I have a valid ticket, I get logged in using the RemoteUserInternal flow.
But If I haven't a valid ticket, I'll get a 401 access denied error.
(And at this point I want to get the Password flow instead)

For sure this 401 is apache2 related, because no valid credentials were
sent to /idp/profile ...

This wiki article
takes the following location instead /idp/profile "

<Location /idp/profile/SAML2/SOAP/ECP>

But with this one I'll always get the Password flow, even with a valid
krb5 ticket.


Raffael Sahli

More information about the users mailing list