SPNEGO unavailability and error handling

[Timo Tunturi]

On 27/09/2019 15.50, Simon Lundström wrote:
> On Thu, 2019-09-26 at 22:50:59 +0200, Wessel, Keith wrote:
>> 2. Is there any easy way to get the IdP to simply display the IdP 
>> login page (fall through to the password authentication flow) if 
>> SPNEGO is unavailable? I know easy is relative, but I''m at a loss of 
>> any way to do it at all other than the activation conditions one can 
>> associate with the SPNEGO flow. For us, limiting to IP space is far 
>> from sufficient since we have so many devices not joined to the domain 
>> on our network.
> We have a terrible hack via the mod_auth_gssapi Apache module for 
> "whitelisted" browsers but it seems that when IE dies, as per my other 
> mail in this thread to Daniel, we can discontinue it.

We used to run an in-house SPNEGO authenticator on Shib IdP before one 
was available out of the box. On top of network greylisting it used 
user-agent greylisting. Keeping the user-agent lists up to date was a 
nightmare.

Nowadays we run the out-of-the-box SPNEGO from Shib IdP with just an 
activation condition with a long list of networks of windows domain 
-joined devices (Windows, Linux and MacOS) automatically updated from 
our CMDB. The network list also contains machine-authenticated VPN 
networks. On-site the domain joined devices are thrown into specific 
networks based on 802.1X device authentication.

This approach seems to work really well with practically zero manual 
labour regarding the SPNEGO issue.

The network part where you know and can control what kind of devices are 
coming from which networks can be a boatload of work to sort out. Even 
so it might be worth looking into SPNEGO or no SPNEGO. AFAIK sorting out 
your networks is the only relatively neat solution to the SPNEGO issue.

-- Timo Tunturi / Aalto University IT Services