apache2/idp kerberos RemoteUserInternal with Password flow fallback

Raffael Sahli sahli at gyselroth.com
Tue May 19 03:57:20 EDT 2015

On 05/13/2015 04:43 PM, Cantor, Scott wrote:
> On 5/13/15, 2:36 PM, "Raffael Sahli" <sahli at gyselroth.com> wrote:
> A quick and dirty way is to make the user choose, by starting with 
> Password as the default, and provide a button to click that opts-in to 
> using the other flow. You can do that by signaling you want that flow to 
> run, which is discussed in the documentation as an advanced feature.
>> Are there any known (alpha) working prototypes?
> Not that I know of.
>> Or as another idea, is there a way to implement a custom url in the idp
>> webinterface, which points to a kerberized idp login?
>> So per default, I would get the normal idp login page, which contains a
>> Link like "Use System Credentials".
> More or less what I said above, it's covered in the wiki. You need to add 
> a link or button to trigger the right webflow event ID to signal the flow 
> to run. But your users, unless they're technical people (and even then...) 
> won't really understand this and it still won't have reasonable error 
> handling properties.

Hm okay I probably go with the button to trigger the flow, seems like
the best for now.

I'm not sure if I understand the wiki part correctly, but I should call
it with _eventId_authn/RemoteUser ?

2015-05-19 09:50:37,077 - INFO
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:121] - Profile
Action SelectAuthenticationFlow: Moving incomplete flow authn/Password
to intermediate set
2015-05-19 09:50:37,078 - ERROR
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:158] - Profile
Action SelectAuthenticationFlow: Signaled flow authn/RemoteUser is not
2015-05-19 09:50:37,086 - DEBUG
- Error event NoPotentialFlow will be handled with response

Did I miss something?


idp.authn.flows           = RemoteUser|Password
idp.authn.flows.initial  = Password

Raffael Sahli

More information about the users mailing list