Why is Password flow selecting Basic Authentication

Robert Duncan Robert.Duncan at ncirl.ie
Thu Mar 29 10:48:35 EDT 2018

Thanks Scott,

The problem was actually in my login.vm - I used the extended  password login flow to conditionally activate SPNEGO for particular subnets, this was working well both as login flow and the button being activated by login.vm - however looking back at the logs even when I was attempting password log in, it was failing (Basic) and switching automatically to SPNEGO, ECP location was protected by ldap and not at all related.

Replacing my login.vm with the default file resolved the BasicAuthentication attempts
I followed the guide here


#foreach ($extFlow in $extendedAuthenticationFlows)
  #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext))
    #if ($extFlow.getId() == 'authn/SPNEGO')
    <div class="form-element-wrapper">
      <div class="form-element-wrapper">
        <input type="checkbox" name="_shib_idp_SPNEGO_enable_autologin" value="true"> #springMessageText("idp.login.spnego.enable_autologin", "Enable auto-login")
      <button class="form-element form-button" type="submit" name="_eventId_$extFlow.getId()">
        #springMessageText("idp.login.$extFlow.getId().replace('authn/','')", $extFlow.getId().replace('authn/',''))

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday 29 March 2018 14:58
To: Shib Users <users at shibboleth.net>
Subject: RE: Why is Password flow selecting Basic Authentication

> What would cause my idp 3.2 to default to basic authentication for all SP's?

The Password login flow always supports basic authentication if it sees the header and will never challenge the client itself, which is why there is no reason to do what you're doing unless you have an ECP client that doesn't just volunteer the credentials.

> 2018-03-29 09:30:57,303 - DEBUG
> [net.shibboleth.idp.authn.impl.ExtractUsernamePasswordFromBasicAuth:11
> 5] - Profile Action ExtractUsernamePasswordFromBasicAuth: No
> appropriate Authorization header found

DEBUG is not ERROR. There's nothing wrong there.

> I have since disabled the Apache location for ECP - shouldn't really
> matter, looks like Shib is selecting remote user from the container as
> the authentication flow?

Not if you don't enable that login flow.

-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.

More information about the users mailing list