apache2/idp kerberos RemoteUserInternal with Password flow fallback
Cantor, Scott
cantor.2 at osu.edu
Wed May 13 10:43:06 EDT 2015
On 5/13/15, 2:36 PM, "Raffael Sahli" <sahli at gyselroth.com> wrote:
>Yes sadly it's a problem of the webserver. Would be nice if we could
>configure it to optionally authenticate via KRB,
>if no ticket available, execute the webapp anyways...^^ (Just to get The
>REMOTE_USER Header)
SPNEGO simply doesn't work that way, it's not designed for hybrid
environments.
>The problem is, I need the custom password webinterface from the IdP and
>can't use a simple username/password login prompt from the webserver.
A quick and dirty way is to make the user choose, by starting with
Password as the default, and provide a button to click that opts-in to
using the other flow. You can do that by signaling you want that flow to
run, which is discussed in the documentation as an advanced feature.
>Are there any known (alpha) working prototypes?
Not that I know of.
>Or as another idea, is there a way to implement a custom url in the idp
>webinterface, which points to a kerberized idp login?
>So per default, I would get the normal idp login page, which contains a
>Link like "Use System Credentials".
More or less what I said above, it's covered in the wiki. You need to add
a link or button to trigger the right webflow event ID to signal the flow
to run. But your users, unless they're technical people (and even then...)
won't really understand this and it still won't have reasonable error
handling properties.
-- Scott
More information about the users
mailing list