RemoteAuth SSO issue

[Cantor, Scott]

> I have spent quite a bit of time trying to diagnose the problem with no luck.  I
> haven't been able to reproduce it, although it happens pretty often
> according to the IDP logs.  And sometimes it leads to looping where I think
> the browser bounces back and forth between the SP and IDP.

If the SP is broken, it's certainly possible to loop.

> Since I cannot figure out the root cause, I need a band-aid. I would like to
> configure the IDP to detect and deal with this "unknown-user" situation
> more gracefully and securely.  Can I configure the IDP to respond to the
> browser with an error message when the user is "unknown-user" ?  That
> should halt authentication and prevent any looping. Any pointers to
> documentation for doing this?  Any other suggestions?

If you were on a supported version, then you could use a match expression to do a regex against the name to allow, but I'm not sure you could reverse the regex very easily. It's not actually a full Predicate bean, just a regex Pattern, so there's no simple "NOT" syntax.

Given that you're on an unsupported version that doesn't have that setting, you would probably just plug in a condition into the context-check interceptor to check the username and bail out there.

-- Scott