Configure an SP for the Kerberos NameID and configure the IdP to support GSSAPI and form (--ipa yes --form yes for example) and ensure that Kerberos is allowed for the SP.
Now log in without a Kerberos ticket. The GSSAPI auth will fail and fall back to form.
You'll always be denied access.
The only server-side logging is a DEBUG level message:
Unavailable Name ID type [urn:oasis:names:tc:SAML:2.0:status:AuthnFailed]
Which isn't all that useful.
It should say something that the proper NameID was not satisfied, regardless of proper authentication.
milestone: => 1.1
owner: => rcritten
status: new => accepted
patch_available: 0 => 1
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1256520
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1256520 1256520]
resolution: => fixed
status: accepted => closed
Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: 1.1
to comment on this ticket.