Unexpected behaviours with matchExpression and SPNEGO and RemoteUser

Cantor, Scott cantor.2 at osu.edu
Fri May 12 11:09:08 EDT 2017

On 5/12/17, 10:20 AM, "users on behalf of Simon Lundström" <users-bounces at shibboleth.net on behalf of simlu at su.se> wrote:

> For SPNEGO on the other hand we get no error back to the user what so
> ever.

The SPNEGO flow is handling the error by causing the next login flow to be tried (it signals ReselectFlow). If it isn't doing that, something else is broken that I really have no guess about since there's nothing in the log.

> For RemoteUser we get sent back to the SP with an error message which is
> more helpful, I mean status:AuthnFailed is clear, than the SPNEGO case

It's the same code checking the name and the same outcome, but the External/RemoteUser flows don't remap the InvalidCredentials event and just fail authentication. It should be possible to change that to match what the SPNEGO flow is doing with the message map for those flows to get it to pass control to another login flow.

> but the error message is not well suited for end users.

If you don't want the IdP to treat login failure as a SAML error, then you need to configure it as a "local" error and provide whatever response you want. The general requirement of SAML is "return to the SP when you can/should". If the SP doesn't handle the error, that's not anything the IdP can fix.

> We expected that both SPNEGO and RemoteUser would behave as Password.

They have no UI, so that would be impossible. They're very different in nature.

-- Scott

More information about the users mailing list