Problem with SPNEGO after successfully kerberos auth

Cantor, Scott cantor.2 at
Thu Apr 21 11:08:00 EDT 2016

> Sorry my confusion, I'm new in Shibboleth.

This is about SAML, moreso than Shibboleth, and how AuthnContext works.

> For what I read in the shibboleth documentation, the SPNEGO auth flow,
> allows to authenticate users without never type their usernames or
> passwords,

In general, but more to the point it means that the IdP isn't authenticating the user via password, and that means the IdP should not be telling any SPs that it did.

> Am I right? Or maybe I misunderstand some part.

Yes, but that has nothing to do with your question. You asked why it's not working. It's not working because the SP explicitly required the IdP to use a method that satisfies the PasswordProtectedTransport AuthnContextClassRef. SPNEGO does not.

An SP requesting that, as a general rule, doesn't know that it's doing, and the fix is to get the SP to stop doing a dumb thing. The IdP is simply doing what it's asked to do, and there is no workaround that you *should* use there. You *can*, by telling the IdP to lie. I don't believe that's appropriate.

-- Scott

More information about the users mailing list