I know that Cal did it at Newcastle, I don't know whether he hangs out in here.
Googling "SPNEGO site:ncl.ac.uk" throws up some useful looking links; I also understand that someone in SWITCH has played with it, so that’s somewhere else to look.
I'm pretty sure that a major usability issue is that each browser behaves towards SPNEGO in a different way and so you have to be absolutely that your ducks are lined up correctly before you go down the SPNEGO route.
> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Colleen Romero
> Sent: 26 August 2014 09:17
> To: [log in to unmask]
> Subject: Kerberos and LDAP
> Does anyone know how to set up Shibboleth IdP to use Kerberos SSO against
> Windows Active Directory, but failover to LDAP if user is not logged onto a AD
> domain member?