SPNEGO unavailability and error handling

Simon Lundström simlu at su.se
Tue Oct 1 04:58:12 EDT 2019 

On Tue, 2019-10-01 at 08:25:54 +0200, Timo Tunturi wrote:
>On 27/09/2019 15.50, Simon Lundström wrote:
>> On Thu, 2019-09-26 at 22:50:59 +0200, Wessel, Keith wrote:
>>> 2. Is there any easy way to get the IdP to simply display the IdP
>>> login page (fall through to the password authentication flow) if
>>> SPNEGO is unavailable? I know easy is relative, but I''m at a loss of
>>> any way to do it at all other than the activation conditions one can
>>> associate with the SPNEGO flow. For us, limiting to IP space is far
>>> from sufficient since we have so many devices not joined to the domain
>>> on our network.
>> We have a terrible hack via the mod_auth_gssapi Apache module for
>> "whitelisted" browsers but it seems that when IE dies, as per my other
>> mail in this thread to Daniel, we can discontinue it.
>
>We used to run an in-house SPNEGO authenticator on Shib IdP before one
>was available out of the box. On top of network greylisting it used
>user-agent greylisting. Keeping the user-agent lists up to date was a
>nightmare.

Luckily the user-agent problem is no longer the case, this regex is 
suffient: /Safari|Firefox|Chrome/
(Chrom{e,ium} has Safari in it's user-agent so it doesn't actually need 
to be there but is for clarity.)

Adding to the IE User-Agent for managed computers seems to work up to 
IE11 but not on Edge according to my searches. I never could get it to 
work on IE either ¯\_(ツ)_/¯

>Nowadays we run the out-of-the-box SPNEGO from Shib IdP with just an
>activation condition with a long list of networks of windows domain
>-joined devices (Windows, Linux and MacOS) automatically updated from
>our CMDB. The network list also contains machine-authenticated VPN
>networks. On-site the domain joined devices are thrown into specific
>networks based on 802.1X device authentication.

Oooh, that's nice! No BYOD which uses the VPN and/or eduroam but isn't 
managed/joined to the AD then I guess?

>This approach seems to work really well with practically zero manual
>labour regarding the SPNEGO issue.
>
>The network part where you know and can control what kind of devices are
>coming from which networks can be a boatload of work to sort out. Even
>so it might be worth looking into SPNEGO or no SPNEGO. AFAIK sorting out
>your networks is the only relatively neat solution to the SPNEGO issue.

Indeed! Having awesome infrastructure makes everything look so easy = ) 
Good job!

BR,
- Simon

More information about the users mailing list