apache2/idp kerberos RemoteUserInternal with Password flow fallback

Raffael Sahli sahli at gyselroth.com
Wed May 13 10:36:06 EDT 2015

On 05/13/2015 04:13 PM, Cantor, Scott wrote:
> On 5/13/15, 9:54 AM, "Raffael Sahli" <sahli at gyselroth.com> wrote:
>> How can I configure the idp to allow both, RemoteUserInternal (apache2
>> krb5) and as fallback the Password Flow ?
> I don't think it's anything close to that simple with SPNEGO, but I have 
> no experience with it. I just know it doesn't have fallback capabilities 
> unless you do all the work and build extra UI to manage that. 
Yes sadly it's a problem of the webserver. Would be nice if we could
configure it to optionally authenticate via KRB,
if no ticket available, execute the webapp anyways...^^ (Just to get The

The problem is, I need the custom password webinterface from the IdP and
can't use a simple username/password login prompt
from the webserver.

basically why it has to be done as a custom flow implemented in Java, 
which I know various people are working on prototypes of.

Are there any known (alpha) working prototypes?

Or as another idea, is there a way to implement a custom url in the idp
webinterface, which points
to a kerberized idp login?
So per default, I would get the normal idp login page, which contains a
Link like "Use System Credentials".

Raffael Sahli

> The RemoteUserInternal flow falls through to another one automatically.

>> If the browser sends valid kerberos credentials, apache2 should validate
>> it and the idp should execute the RemoteUserInternal flow.
>> If no kerberos ticket exists, the idp should execute the Password flow.
> That only works if Apache actually lets you through, and I doubt it will.
>> If I have a valid ticket, I get logged in using the RemoteUserInternal 
>> flow.
>> But If I haven't a valid ticket, I'll get a 401 access denied error.
>> (And at this point I want to get the Password flow instead)
>> For sure this 401 is apache2 related, because no valid credentials were
>> sent to /idp/profile ...
> Right, which is why you can't do that with just that type of combination 
> of components.
> -- Scott

More information about the users mailing list