SPNEGO unavailability and error handling
timo.tunturi at aalto.fi
Tue Oct 1 02:25:54 EDT 2019
On 27/09/2019 15.50, Simon Lundström wrote:
> On Thu, 2019-09-26 at 22:50:59 +0200, Wessel, Keith wrote:
>> 2. Is there any easy way to get the IdP to simply display the IdP
>> login page (fall through to the password authentication flow) if
>> SPNEGO is unavailable? I know easy is relative, but I''m at a loss of
>> any way to do it at all other than the activation conditions one can
>> associate with the SPNEGO flow. For us, limiting to IP space is far
>> from sufficient since we have so many devices not joined to the domain
>> on our network.
> We have a terrible hack via the mod_auth_gssapi Apache module for
> "whitelisted" browsers but it seems that when IE dies, as per my other
> mail in this thread to Daniel, we can discontinue it.
We used to run an in-house SPNEGO authenticator on Shib IdP before one
was available out of the box. On top of network greylisting it used
user-agent greylisting. Keeping the user-agent lists up to date was a
Nowadays we run the out-of-the-box SPNEGO from Shib IdP with just an
activation condition with a long list of networks of windows domain
-joined devices (Windows, Linux and MacOS) automatically updated from
our CMDB. The network list also contains machine-authenticated VPN
networks. On-site the domain joined devices are thrown into specific
networks based on 802.1X device authentication.
This approach seems to work really well with practically zero manual
labour regarding the SPNEGO issue.
The network part where you know and can control what kind of devices are
coming from which networks can be a boatload of work to sort out. Even
so it might be worth looking into SPNEGO or no SPNEGO. AFAIK sorting out
your networks is the only relatively neat solution to the SPNEGO issue.
-- Timo Tunturi / Aalto University IT Services
More information about the users