Unexpected behaviours with matchExpression and SPNEGO and RemoteUser

Simon Lundström simlu at su.se
Fri May 12 10:20:11 EDT 2017


We've started to use matchExpression on Password, SPNEGO and RemoteUser
authentication flows to limit what account names (and thus types, in our case)
can be used on an IDP (we have multiple IDPs using the same account

For Password it works as we expect it to. Users enter a wrongly
formatted username and get an error that it's wrong and how they should
enter it, see logs: <https://ptpb.pw/AF0Sd-MMAxtmGeQ92OWjFYTGVINn>.

For SPNEGO on the other hand we get no error back to the user what so
ever. It just "reloads" the login page and the last number in the query
string "execution" adds two, e.g. from 6 to 8.
See logs: <https://ptpb.pw/AG20XJFIg9kgd-R_Ih1_I55feKNs>

For RemoteUser we get sent back to the SP with an error message which is
more helpful, I mean status:AuthnFailed is clear, than the SPNEGO case
but the error message is not well suited for end users.
See logs and text from SP: <https://ptpb.pw/AGtyNV1KXQXQcT1KmLqAtmR01IBf>

Our matchExpression config is like in the examples and the relevant
config from idp.properties AFAICT is:
idp.authn.flows = RemoteUser|SPNEGO|Password

We expected that both SPNEGO and RemoteUser would behave as Password.
Are we doing something wrong?
Is this a bug?

Have a great weekend y'all!

- Simon


Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden


More information about the users mailing list