apache2/idp kerberos RemoteUserInternal with Password flow fallback
cantor.2 at osu.edu
Wed May 13 10:13:39 EDT 2015
On 5/13/15, 9:54 AM, "Raffael Sahli" <sahli at gyselroth.com> wrote:
>How can I configure the idp to allow both, RemoteUserInternal (apache2
>krb5) and as fallback the Password Flow ?
I don't think it's anything close to that simple with SPNEGO, but I have
no experience with it. I just know it doesn't have fallback capabilities
unless you do all the work and build extra UI to manage that. That's
basically why it has to be done as a custom flow implemented in Java,
which I know various people are working on prototypes of.
The RemoteUserInternal flow falls through to another one automatically.
>If the browser sends valid kerberos credentials, apache2 should validate
>it and the idp should execute the RemoteUserInternal flow.
>If no kerberos ticket exists, the idp should execute the Password flow.
That only works if Apache actually lets you through, and I doubt it will.
>If I have a valid ticket, I get logged in using the RemoteUserInternal
>But If I haven't a valid ticket, I'll get a 401 access denied error.
>(And at this point I want to get the Password flow instead)
>For sure this 401 is apache2 related, because no valid credentials were
>sent to /idp/profile ...
Right, which is why you can't do that with just that type of combination
More information about the users