apache2/idp kerberos RemoteUserInternal with Password flow fallback
Raffael Sahli
sahli at gyselroth.com
Wed May 13 05:54:12 EDT 2015
Hi
How can I configure the idp to allow both, RemoteUserInternal (apache2
krb5) and as fallback the Password Flow ?
If the browser sends valid kerberos credentials, apache2 should validate
it and the idp should execute the RemoteUserInternal flow.
If no kerberos ticket exists, the idp should execute the Password flow.
I got both working, but not both at the same time. The Password flow
fallback is not working.
apache:
<Location /idp/profile>
AuthType Kerberos
AuthName "SAML2 ECP"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthoritative Off
KrbVerifyKDC On
Krb5KeyTab /etc/apache2/http.keytab
require valid-user
</Location>
idp.properties:
idp.authn.flows= RemoteUserInternal|Password
idp.authn.flows.initial = RemoteUserInternal|Password
If I have a valid ticket, I get logged in using the RemoteUserInternal flow.
But If I haven't a valid ticket, I'll get a 401 access denied error.
(And at this point I want to get the Password flow instead)
For sure this 401 is apache2 related, because no valid credentials were
sent to /idp/profile ...
This wiki article
https://wiki.shibboleth.net/confluence/display/IDP30/IDP3+ECP+with+Tomcat+and+Apache-Managed+Authentication
takes the following location instead /idp/profile "
<Location /idp/profile/SAML2/SOAP/ECP>
"
But with this one I'll always get the Password flow, even with a valid
krb5 ticket.
Thanks!
Regards,
Raffael Sahli
More information about the users
mailing list