apache2/idp kerberos RemoteUserInternal with Password flow fallback

Cantor, Scott cantor.2 at osu.edu
Tue May 19 08:57:39 EDT 2015


On 5/19/15, 8:50 AM, "Raffael Sahli" <sahli at gyselroth.com> wrote:

>Because then I get the RemoteUser flow immediately (right after
>redirection from the sp) instead the Password flow.
>How can I configure it to always execute the Password flow first and the
>RemoteUser flow only with the _eventId_authn param?

The order it tries them should be based on the order in the descriptor list. As long as the Password flow doesn't "fall into" the RemoteUser flow by returning something that turns into ReselectFlow, the other shouldn't run.

Using multiple flows is always going to be harder than just using one custom flow with all of the features desired. Trying to orchestrate things through code that doesn't really know what you're trying to achieve ends up creating as many problems any it solves. Code reuse is fine, but if you have the ability to code things up, one login flow is always better than two.

-- Scott



More information about the users mailing list