Enforcing SPNEGO

Aterea Brown atbrown at aut.ac.nz
Tue Jul 9 17:37:02 EDT 2019

The request isnt making it to the idp.  I need to do some more testing but the auth header in this case was over 7k.  Using my personal account I could see the auth header reach the idp but with the users account it would just "die" and return bad request.  My current theory is that jetty isnt passing the request to the idp so if I could increase the max size of the buffer set aside for headers it may relieve the problem.  Also the user reports since his role has changed he may be able to remove a number of groups.

Yeah I read the flow file and saw that it toggles off, runs spnego then cleans up.

Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at aut.ac.nz Phone: 9219999 x 6523
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Wednesday, 10 July 2019 12:09 AM
To: Shib Users
Subject: RE: Enforcing SPNEGO

> ok tracked it down, user has to0 many AD groups.

How does that manifest? If nothing else maybe the error could be caught or detected better.

My vague recollection of the SPNEGO code is that the autorun thing is designed to toggle that off in case the SPNEGO attempt fails so that the next time in it doesn't just keep auto-failing. It re-enables the flag if it succeeds.

Generally speaking the SPNEGO support is definitely in the category of "supported for members", I don't understand it well enough to support it publically anymore.

-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190709/388d2efc/attachment.html>

More information about the users mailing list