Page Comparison

...

The following examples assume that the condition property customObject is set to the bean shibboleth.HttpServletRequest.

In $.3 and later you should use shibboleth.HttpServletRequestSupplier and adjust the javascript as described in this link.

// Default return value.
var activate = false;

// Check the client's IP address.
if (custom.remoteAddr.startsWith("192.168.42.")) {
    activate = true;
}

// Return the result.
activate;

...

The sequence of behavior during the login process is normally as follows:

1. First, the SPNEGO login flow will be tried. If the user hasn't enabled auto-login, SPNEGO authentication won't run. If the user has enabled auto-login, SPNEGO authentication is run. If it succeeds, the authentication step has finished. If it fails, the Password login flow will be run next (if it's configured as available flow).

2. If SPNEGO didn't successfully run before, the Password login flow will be run and the login page will be shown.

3. The user can choose to login with SPNEGO. Optionally, the user can enable the "auto-login" option (if enabled in the view template). If the user has chosen SPNEGO, the SPNEGO login flow will run. This time, the flow ignores the auto-login setting and SPNEGO authentication is run. If it succeeds, the authentication process is typically finished. The "auto-login" cookie is set if the user enabled that option on the Password login page. If SPNEGO fails, the user will be returned to the Password login page.

SPNEGO User Interface

The SPNEGO authentication process isn't visible to the user. The communication takes place between the IdP and the browser, without requiring user intervention. If an error occurs, an error page is shown to the user explaining the problem and allowing to return control to the IdP to continue. The default implementation of the view rendering this page uses JavaScript to automatically return to the IdP so that the user doesn't need to do anything.

...