Why is Password flow selecting Basic Authentication

Cantor, Scott cantor.2 at osu.edu
Thu Mar 29 09:58:10 EDT 2018

> What would cause my idp 3.2 to default to basic authentication for all SP's?

The Password login flow always supports basic authentication if it sees the header and will never challenge the client itself, which is why there is no reason to do what you're doing unless you have an ECP client that doesn't just volunteer the credentials.

> 2018-03-29 09:30:57,303 - DEBUG
> [net.shibboleth.idp.authn.impl.ExtractUsernamePasswordFromBasicAuth:11
> 5] - Profile Action ExtractUsernamePasswordFromBasicAuth: No appropriate
> Authorization header found

DEBUG is not ERROR. There's nothing wrong there.

> I have since disabled the Apache location for ECP - shouldn't really matter,
> looks like Shib is selecting remote user from the container as the
> authentication flow?

Not if you don't enable that login flow.

-- Scott

More information about the users mailing list