#157 Better logging if supported NameID not authenticated
Closed: Fixed None Opened 6 years ago by rcritten.

Configure an SP for the Kerberos NameID and configure the IdP to support GSSAPI and form (--ipa yes --form yes for example) and ensure that Kerberos is allowed for the SP.

Now log in without a Kerberos ticket. The GSSAPI auth will fail and fall back to form.

You'll always be denied access.

The only server-side logging is a DEBUG level message:

Unavailable Name ID type [urn:oasis:names:tc:SAML:2.0:status:AuthnFailed]

Which isn't all that useful.

It should say something that the proper NameID was not satisfied, regardless of proper authentication.

Fields changed

milestone: => 1.1

Fields changed

owner: => rcritten
status: new => accepted

master: ea3a3c6

resolution: => fixed
status: accepted => closed

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: 1.1

5 years ago

Login to comment on this ticket.