apache2/idp kerberos RemoteUserInternal with Password flow fallback
Raffael Sahli
sahli at gyselroth.com
Wed May 13 10:36:06 EDT 2015
On 05/13/2015 04:13 PM, Cantor, Scott wrote:
> On 5/13/15, 9:54 AM, "Raffael Sahli" <sahli at gyselroth.com> wrote:
>
>
>> How can I configure the idp to allow both, RemoteUserInternal (apache2
>> krb5) and as fallback the Password Flow ?
> I don't think it's anything close to that simple with SPNEGO, but I have
> no experience with it. I just know it doesn't have fallback capabilities
> unless you do all the work and build extra UI to manage that.
Yes sadly it's a problem of the webserver. Would be nice if we could
configure it to optionally authenticate via KRB,
if no ticket available, execute the webapp anyways...^^ (Just to get The
REMOTE_USER Header)
The problem is, I need the custom password webinterface from the IdP and
can't use a simple username/password login prompt
from the webserver.
That's
basically why it has to be done as a custom flow implemented in Java,
which I know various people are working on prototypes of.
Are there any known (alpha) working prototypes?
Or as another idea, is there a way to implement a custom url in the idp
webinterface, which points
to a kerberized idp login?
So per default, I would get the normal idp login page, which contains a
Link like "Use System Credentials".
Regards
Raffael Sahli
>
> The RemoteUserInternal flow falls through to another one automatically.
>> If the browser sends valid kerberos credentials, apache2 should validate
>> it and the idp should execute the RemoteUserInternal flow.
>> If no kerberos ticket exists, the idp should execute the Password flow.
> That only works if Apache actually lets you through, and I doubt it will.
>
>> If I have a valid ticket, I get logged in using the RemoteUserInternal
>> flow.
>> But If I haven't a valid ticket, I'll get a 401 access denied error.
>> (And at this point I want to get the Password flow instead)
>>
>> For sure this 401 is apache2 related, because no valid credentials were
>> sent to /idp/profile ...
> Right, which is why you can't do that with just that type of combination
> of components.
>
> -- Scott
>
More information about the users
mailing list