IDP password authentication config that will return a 401.

Todd Throne todd.throne at
Thu May 28 01:10:55 UTC 2020


I'm a Shibboleth novice.  I've set up the Windows IDP version 3.4.6 to
integrate with AD.
I've trying to get it to work with our proxy as the SP.  It works when the
proxy instructs the client(browser) to redirect to the IDP for
authentication via Shibboleth's authentication form returned to the browser.

The problem arises when I try to get it to work without redirecting to the
IDP through the client browser, a feature that used to work eons ago that's
called "without client redirects".  I'm trying to get the IDP configured to
NOT return the authentication form when basic credentials do not exist with
the initial authnrequest, but instead to just return a 401 to the proxy. 
After the proxy requests the credentials from the client it would then send
them to the IDP via the basic credentials authorization header.

I'm hoping someone can point me in the right direction on how to configure
Shibboleth to send back the 401 and then accept the basic credentials on the
second request.  It does work btw if the basic credentials header exists
with the initial authnrequest.


Sent from:

More information about the users mailing list