apache2/idp kerberos RemoteUserInternal with Password flow fallback

Cantor, Scott cantor.2 at osu.edu
Wed May 13 10:43:06 EDT 2015

On 5/13/15, 2:36 PM, "Raffael Sahli" <sahli at gyselroth.com> wrote:

>Yes sadly it's a problem of the webserver. Would be nice if we could
>configure it to optionally authenticate via KRB,
>if no ticket available, execute the webapp anyways...^^ (Just to get The

SPNEGO simply doesn't work that way, it's not designed for hybrid 

>The problem is, I need the custom password webinterface from the IdP and
>can't use a simple username/password login prompt from the webserver.

A quick and dirty way is to make the user choose, by starting with 
Password as the default, and provide a button to click that opts-in to 
using the other flow. You can do that by signaling you want that flow to 
run, which is discussed in the documentation as an advanced feature.

>Are there any known (alpha) working prototypes?

Not that I know of.

>Or as another idea, is there a way to implement a custom url in the idp
>webinterface, which points to a kerberized idp login?
>So per default, I would get the normal idp login page, which contains a
>Link like "Use System Credentials".

More or less what I said above, it's covered in the wiki. You need to add 
a link or button to trigger the right webflow event ID to signal the flow 
to run. But your users, unless they're technical people (and even then...) 
won't really understand this and it still won't have reasonable error 
handling properties.

-- Scott

More information about the users mailing list