apache2/idp kerberos RemoteUserInternal with Password flow fallback

Cantor, Scott cantor.2 at osu.edu
Wed May 13 10:13:39 EDT 2015

On 5/13/15, 9:54 AM, "Raffael Sahli" <sahli at gyselroth.com> wrote:

>How can I configure the idp to allow both, RemoteUserInternal (apache2
>krb5) and as fallback the Password Flow ?

I don't think it's anything close to that simple with SPNEGO, but I have 
no experience with it. I just know it doesn't have fallback capabilities 
unless you do all the work and build extra UI to manage that. That's 
basically why it has to be done as a custom flow implemented in Java, 
which I know various people are working on prototypes of.

The RemoteUserInternal flow falls through to another one automatically.

>If the browser sends valid kerberos credentials, apache2 should validate
>it and the idp should execute the RemoteUserInternal flow.
>If no kerberos ticket exists, the idp should execute the Password flow.

That only works if Apache actually lets you through, and I doubt it will.

>If I have a valid ticket, I get logged in using the RemoteUserInternal 
>But If I haven't a valid ticket, I'll get a 401 access denied error.
>(And at this point I want to get the Password flow instead)
>For sure this 401 is apache2 related, because no valid credentials were
>sent to /idp/profile ...

Right, which is why you can't do that with just that type of combination 
of components.

-- Scott

More information about the users mailing list