Unexpected behaviours with matchExpression and SPNEGO and RemoteUser
simlu at su.se
Fri May 12 10:20:11 EDT 2017
We've started to use matchExpression on Password, SPNEGO and RemoteUser
authentication flows to limit what account names (and thus types, in our case)
can be used on an IDP (we have multiple IDPs using the same account
For Password it works as we expect it to. Users enter a wrongly
formatted username and get an error that it's wrong and how they should
enter it, see logs: <https://ptpb.pw/AF0Sd-MMAxtmGeQ92OWjFYTGVINn>.
For SPNEGO on the other hand we get no error back to the user what so
ever. It just "reloads" the login page and the last number in the query
string "execution" adds two, e.g. from 6 to 8.
See logs: <https://ptpb.pw/AG20XJFIg9kgd-R_Ih1_I55feKNs>
For RemoteUser we get sent back to the SP with an error message which is
more helpful, I mean status:AuthnFailed is clear, than the SPNEGO case
but the error message is not well suited for end users.
See logs and text from SP: <https://ptpb.pw/AGtyNV1KXQXQcT1KmLqAtmR01IBf>
Our matchExpression config is like in the examples and the relevant
config from idp.properties AFAICT is:
idp.authn.flows = RemoteUser|SPNEGO|Password
We expected that both SPNEGO and RemoteUser would behave as Password.
Are we doing something wrong?
Is this a bug?
Have a great weekend y'all!
Section for Infrastructure
SE-106 91 Stockholm, Sweden
More information about the users