Our Apache uses both mod_shib_24 (SAML-SP) and mod_auth_openidc (OIDC-RP), which both are connected to a Shibboleth IdP (acts as both SAML-IDP and OIDC-OP).
Furthermore we have 2 protected locations, one protected by SAML, the other one protected by OIDC:
ShibCompatValidUser On
<Location "/">
Require shib-session
AuthType Shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
</Location>
<Location "/oidctest">
Require valid-user
AuthType openid-connect
</Location>
Now comes the confusing part:
If I access anything other than /oidctest/, I have to Login using SAML (mod_shib_24 gets involved, as expected), but after a successful authentication I can also access /oidctest/ without having to authenticate with OIDC.
This also works the other way around. If I access /oidctest/ first (new private window), I have to authenticate using OIDC (mod_auth_openidc gets involved, as expected), and after a successfull auth I can also access all other Locations (other than /oidctest/).
So how does Apache handle valid-user directives? How is a "valid-user" defined in Apache?
Is a user valid for everything once he has logged in, no matter the auth-type, no matter the module, no matter the protocol?
Or is this an unexpected behaviour?