Jason Moors wrote:
We are using SAML2 for the web application, and SPNego bypasses SAML2 based on the Default Logon Procedure.
Oh, I understand.
Well, the rationale behind the default order of credential validation is the following:
1. Validate all credentials which have been provided with the request
2. If none are provided, request those you get via an additional roundtrip:
a) without user interaction (SPNego),
b) potentially with user interaction (SAML).
3. If this also fails, prompt the user for credentials (FORM-based logon or Basic Authentication)
Whether SPNego or SAML are available (i.e. configured at the server side) will be checked at runtime. So, in your case you do want to use SAML but not SPNego. In that case you can either deactivate SPNego (as described above by removing the keytab information visible in t-code SPNEGO and using a keytab file for SNC) or you have to switch from "Default Logon Procedure" to "Alternative Logon Procedure" and either switch the ordering of SPNego and SAML or simply remove SPNego from the list. If you do this on the root node (in t-code SICF) this setting will be "inherited" along the ICF tree down to the "leaf" nodes. But be warned: "inheritance" can be stopped - there's an option called "Ignore inherited settings" (under tab "Service Data", section "Service Options"):
If you do not want to use SPNego at all, I recommend to use the first approach (deleting the keytabs shown in t-code SPNEGO and using a keytab PSE for SNC). That's easier to achieve and more robust. And you can revert it more easily, if required.
Best regards,
Wolfgang