This is strange. I'm trying to set up a new site with exactly the same IdP metadata as over 20 existing sites (the IDP is managed by NOAA), and it's not working. I get this in the server logs:

Apr 20 09:23:21 ELUSU httpd[102320]: [auth_mellon:error] [pid 102320] [client 172.16.39.9:44924] Error adding metadata "/etc/httpd/saml2/idp-prod.xml" to lasso server objects. Lasso error: [-205] Parsed XML is invalid., referer: https://elusu.nesdis-hq.noaa.gov/mellon/login?ReturnTo=https%3A%2F%2Felusu.nesdis%2Dhq.noaa.gov%2F&IdP=(null)
Apr 20 09:23:21 ELUSU httpd[102320]: [auth_mellon:error] [pid 102320] [client 172.16.39.9:44924] Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile., referer: https://elusu.nesdis-hq.noaa.gov/mellon/login?ReturnTo=https%3A%2F%2Felusu.nesdis%2Dhq.noaa.gov%2F&IdP=(null)

I've already tried:

• Recopying the metadata file from a working server
• Temporarily setting SELinux to Permissive
• Verifying with the IdP maintainer that they haven't changed metadata on their end
• Running the XML through an XML checker; it came out clean

What am I missing here? I thought I had this down, and apparently I don't.

(Apache 2.2 on RHEL 7.8, same as the other 20 systems.)

Hello guys,

I'm trying to get mellon working but I keep getting this error message, any idea on how to fix it?

Cannot load /usr/lib64/httpd/modules/mod_auth_mellon.so into server: /lib64/libxmlsec1.so.1: symbol xmlIOFTPRead, version LIBXML2_2.4.30 not defined in file libxml2.so.2 with link time reference

Hi,
Why POST binding is unsupported for logout response?

A new session id (16 bytes, 128 bits) is generated using RAND_bytes() in am_generate_id() but, annoyingly, RAND_bytes() is not fork safe so it is possible (and I have seen this once) to get the same session ID for two different sessions.

Fortunately, there is an easy fix: in am_child_init() call RAND_seed() or RAND_add() to mix a some entropy into the PRNG state. You don't need much, just enough to ensure it's different to other instances of the PRNG -- I'd be inclined to grab some entropy from getrandom() or /dev/urandom.

I think it also makes sense to update am_new_cache() to fail if you add the same entry twice. And try just once more; if it fails a second time then something is seriously amiss and you should abort.

Hello everyone,

I would like you to help me with the following error in apache log

Unable to process logout response. Lasso error: [450] Generic error when an IdP or an SP return the RequestDenied status code in its response., referer: https://my_host_ip/iotmainmenu/webapp/

This happens when I try to logout from my single page application, if I use auth0 idp works pretty well, but with this new idp (SAP Cloud Identity Provider) doesn't work property, just at logout, because both (auth0 and SAP) work well in logging in.

I appreciate your help.

Best regards.

Jhon Jairo.

SP initiated SAML login via the HTTP-POST binding does not work for me if MellonCookieSameSite
is set to anything but None.
The reason for this is that the browser does not sent the cookie defined in MellonVariable
when the IDP responds back with the autosubmitform that is sent to the postresponse handler.
IMHO the browser behaves correctly here with SameSite set to lax or strict for the cookie.

The question I ask myself now is why that cookie needs to be present with the POST request.
Inspecting the code the cookie only contains the static string "cookietest" and nothing but its
presence is checked. This whole mechanism was introduced in 18a8e09
via line 3265 in am_send_login_authn_request:

am_cookie_set(r, "cookietest");

and the check for the cookie to be present in the non paos case via line 1994 in am_handle_reply_common:

if(am_cookie_get(r) == NULL) {

What is the purpose of this check? Does it somehow increase security? If not I would propose to either

• Remove setting that cookie and the check or
• In case MellonCookieSameSite is set to anything but none do not fail if the cookie is not present.

I could create a PR for both approaches once the way forward is agreed.

First,I'm sorry to hear that this project was closed. Really a sad story.
And here is my question:
I'm working with the keystone federation function, and I choose the mod_auth_mellon to help keystone to support the SAML protocol.
My problem is when the flow goes to the .../mellon/postResponse,this handler doesn't create a session for the user (or to say does not set the cookie),then the flow entered into an indefinite loop between IdP and SP. I don't know why .../mellon/postResponse doesn't contains the set-cookie in its Response Header?
Help,thank you.

Hi,

I am looking for option to use LDAP as authentication and found in that chapter:

MellonEndpointPath "/sso"

then, later:

<Location /auth>

Is that error? I would expect Location /sso ...

Regards.

I have succesfully configured mellon for IDP and SP
I can succesfully do the manual login /mellon/login?ReturnTo=/mysite
but when I call the logout function with /mellon/logoiut?ReturnTo=/logout.html I get the following error logged by apache:

[auth_mellon:debug] [pid 13264] auth_mellon_handler.c(278): [client 10.40.176.21:17383] loaded IdP "https://b2cpoc.onmicrosoft.com/" from "/etc/apache2/mellon/metadata.xml".
[auth_mellon:error] [pid 13264] [client 10.40.176.21:17383] Unable to create logout request. Lasso error: [-408] ProviderID not found

Thank you and kind regards

I'm getting a 500 response error in mellon module , Inorder to debug that Is there a way to dump the saml request ?

Appreciate any help

Hi,

I have configured auth_mellon in my apache config as follows:

<Location />
    MellonEnable info
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/httpd/mellon/urn_sso-test.xml
    MellonSPPrivateKeyFile /etc/httpd/mellon/urn_sso-test-client.key
    MellonSPCertFile /etc/httpd/mellon/urn_sso-test-client..cert
    MellonIdPMetadataFile /etc/httpd/mellon/idp_metadata.xml
    MellonSecureCookie On
    MellonUser uid
</Location>

The document root of my apache vhost is set to /var/www/html.
I've created an .htaccess file in /var/www/html/secure1 with content:

AuthType Mellon
MellonEnable auth
Require valid-user

In the apache config, AllowOverride All is set for /var/www/html/secure1.

When I visit /secure1 on my server, my browser shows an Unauthorized message: This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

If I rename the .htaccess file and configure the settings directly in the apache configuration using a <Directory> block, I get the same issue.

It only works if I configure the above 3 settings in a Location block in my apache config.

How can I make auth_mellon work using .htaccess files? I want to configure the basic auth_mellon settings in the Location /, but allow users to enable authentication for their userdir using a .htaccess file.

Regards,
Rik

Hello,

I'm planning to implement mod_auth_mellon for SAML base authentication on apache reverse proxy but we have 100+ URLs to migrate on SAML SSO authentication but instated of multiple SP metadata file, Shall we use single metadata(means wild card SP metadata) file ?
Is it possible in Mellon? Please help me on this

This is a continuation of Uninett#35 and Uninett#220

The URI parse results in am_validate_redirect_url are not hardened enough, which leads to possibility of redirection attacks such as:
https://application.com/mellon/login?ReturnTo=http:www.malicious.com

that redirect to http:www.malicious.com

We have a config

MellonCacheSize 6000
MellonLockFile "/run/mod_auth_mellon/lock"

but we have not given permission for the apache user to write to run directory.

Can we know what would happen in that case, how is the session managed and where is it stored.

We are having issues when some users are getting other user's old session but only happens sometimes not always. our Mellon config as follows

MellonEnable "auth"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
MellonSamlResponseDump Off
MellonSecureCookie On
MellonSessionDump Off
MellonSessionLength 1800

How do i debug as diagnostics is not built in to this Mellon.

Getting 200 status code instead of 303 redirect with some other user attached and starts to serve the protected content. httpd version is 2.4.6 also have Header always set X-Frame-Options DENY in httpd config

Can you please enlighten us where we are going wrong?

Upon closer look seems that session is being highjacked based on mellon-cookie, is there any way to stop this. So authentication is not done and hence gives other persons details.

Is there any possibility of mellon-cookie being reassigned to other user, say after 1 day etc, the derivation of cookie id does it depend on date etc so that it varies

I built v0.18.0 on CentOS8(xmlsec1-openssl-devel package is not installed).
I get an error in ./configure.

configure: error: Package requirements (xmlsec1-openssl) were not met:

checking xml1sec-openssl in this commit, but I think it's xml1sec correctly.
xmlenc.h is under the xml1sec directory.

/usr/include/xmlsec1/xmlsec/xmlenc.h

Hi. I've been struggling to get Mellon + Apache Httpd working as a reverse proxy against a Keycloak SAML IdP in a Docker setup, where only Httpd + Mellon is publicly accessible. The reverse proxy points to Camunda and Eramba containers. I intended to add Elasticsearch in there as well, but I'm having a hell of a time getting Mellon and Keycloak happy.

To this end I'm kind of desperately seeing if the issue might be Mellon vs Keycloak.

First, as a bit of preamble that'll lead to my issue. I've had a tough time retrieving a suitable idp_metadata.xml from Keycloak because it's Realm SAML definition point basically writes the Location related URLs relative to how the requesting browser called it. e.g. if I open my browser and connect to http://proxy.demo/auth/realms/myrealm/protocol/saml/descriptor, the entityID and Locations will be from host/port http://proxy.demo:

<EntitiesDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                                       xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
       <EntityDescriptor entityID="http://proxy.demo/auth/realms/myrealm">
...
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://proxy.demo/auth/realms/myrealm/protocol/saml"/>

Here's a sample using curl -s -k -o /etc/httpd/saml2/idp_metadata2.xml http://127.0.0.1:8082/auth/realms/myrealm/protocol/saml/descriptor (Note that this is the official Keycloak container and I exposed port 8080 and 8082):

<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">
<EntityDescriptor entityID="http://127.0.0.1:8082/auth/realms/myrealm">
...
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://127.0.0.1:8082/auth/realms/myrealm/protocol/saml"/>

When I went back to Mellon and tried accessing a protected reverse URL, I would get redirected to the Locations written in the idp_metadata.xml. Of course from the user browser, those addresses are not reachable. e.g. http://sso:8080 is a URL that the Mellon container can reach and get the idp_metadata.xml, BUT its not something the user browser can reach.

I was a little confused that Mellon with a Httpd reverse proxy setup wouldn't proxy the auth requests, instead it looked like Mellon was redirecting the user browser directly to a resource end point only accessible from behind the proxy.

So in the interested of keeping my sanity I rigged up a way to satisfy the browser redirection. I just allowed the Httpd proxy to allow /auth to go to my Keycloak service. Then I grabbed the IdP SAML definition using the publicly accessible URL. e.g. http://proxy.demo/

The resulting idp_metadata.xml had the correct URLs in it. I considered rewriting the idp_metadata.xml, but I would have to first prove this setup works at all. If you have any tips on how to deal with this, I'm all ears. It'll be a common challenge with containerized SAML architectures.

Now when my use browser accesses a protected URL (e.g. http://proxy.demo/camunda), Mellon will direct me to a publicly accessible URL (I shortened the SAMLRequest and Signature values):

http://proxy.demo/auth/realms/myrealm/protocol/saml?SAMLRequest=hZJfa...k3&RelayState=http%3A%2F%2Fproxy.demo%2Fcamunda&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=lMJd4mzGJP9%2FXxT...SWon5lgMYxrkkQ%3D%3D

However Keycloak displays an "Invalid requester" error in the browser. From the Keycloak logs show the following exception ("Invalid query param signature"):

00:11:13,206 ERROR [org.keycloak.protocol.saml.SamlService] (default task-2) request validation failed: org.keycloak.common.VerificationException: org.keycloak.common.VerificationException: Invalid query param signature
	at [email protected]//org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(SamlProtocolUtils.java:169)
	at [email protected]//org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.verifySignature(SamlService.java:557)
	at [email protected]//org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:250)

I'm trying desperately to figure out what the "Invalid query param signature" could mean! The Keycloak forum has been quiet.

Keycloak seems to be unhappy with the SAML Signature Request Key. It is able to located a valid public key for validation, but then when it tried to validate the Signature using the identified SigAlg (https://www.w3.org/2001/04/) it failed with "Invalid query param signature":

https://github.com/keycloak/keycloak/blob/d39dfd86888d292ebdafd6b5b98be2436b64846c/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java#L134

Do you have any tips? I'm not looking for you to support Keycloak, but any suggestions or clues would really be helpful.

I can attach anything that might help. e.g. copies of my Mellon SP files, Keycloak IDP file, my httpd.conf, etc...

If it helps I'm running Keycloak 8.0, and mod_auth_mellon 0.14.0 on httpd 2.4.6-90 in a Centos 7.7 image. I thought to stick with whatever came with Centos 7 to be safe, but I'm not married to it.

Thank you/

In the previous Uninertt installtion I was able to have an initial auth module, i.e. I enabled auth on example.com and then used the auth from this to allow access to sites a.com, b.com ect. This was setup in a location like so:

MellonEndpointPath /mellon
AuthType "Mellon"
MellonEnable "auth"
Require valid-user

I could then have subsequent sites setup on different domains with:

<Location /register>
MellonEndpointPath /mellon
AuthType "Mellon"
Require valid-user
MellonRequire "usertype"

After upgrading to this fork, this no loner works and requires me to add MellonEnable "auth" on the other domains, the issue with this is that it doesnt have the saml setup as its an alternate domain.

Any ideas on how I can get this working again?

Could you please add support for mod_authn_socache ?

If I understand it right, it would speed up things, but more, it would allow storing cookies in memcache backends. It would be possible to use auth mellon on multiple load balancer or backends.

Thanks.

Hello,
While mod_auth_mellon is working like a charm with the default MellonCacheSize 100 setting it refuses to work with any higher value. Since we have up to about 30,000 Users authenticating via SAML we need some higher MellonCacheSize limit.
Is this something one could help with? I believe that the original client would be willing to pay for a bit of support on this issue.
Thank you very much in advanve,
Martin

My keycloak installation works well with other software, but I have failed to set up keycloak with mod_auth_mellon.
I have followed the instructions from the keycloak manual, by

1. running the mellon_create_metadata.sh script as described,
2. copy&pasting the apache configuration
3. uploading the generated mellon_metadata.xml to my realm
4. downloading the idp_metadata.xml from keycloak as described.

When I now attempt to access the /private path, I get redirected to keycloak showing an Invalid requester error. The keycloak logs show:
ERROR [org.keycloak.protocol.saml.SamlService] (default task-72) request validation failed: org.keycloak.common.VerificationException: SigAlg was null, alongside a long stack trace.

Where have I gone wrong?

Hello, I have implemented mod_auth_mellon version 0.14 on our Apache server which is acting as a reverse proxy to redirect traffic after authentication to our WebLogic server. During my testing, I get a success response back from our internal IDP but I have a feeling the RelayState is either never being populated from me, the SP, or the IDP is losing it and not redirecting back to the URL the request started at after authentication. Also, mellon never redirects to the IDP automatically. I have to do something like a button click and send to my IDP's URL specific to our entityID in order to start the process. When I visit my endpoint (https://ourdomain.gov/saml2) it throws a 404 error. The "saml2" directory does not exist in our "/var/www/html/" structure because I thought a mellon handler would "handle" anything going to the endpoint directory (or downline of it)?

I am on RHEL v7 where Apache lives and installed the mellon module with a simple yum command. Because of that, the module did not have Mellon Diagnostics enabled so I can't figure out how to enable it for better troubleshooting.

I even tried installing the newest version (0.16) from source so I could see it resolved our issue and to enable diagnostics during the configure but our RHEL was missing some modules to do ./configure and make install that I couldn't figure out.

Any insight as to how I could spy the RelayState coming from our SP going to the IDP or from the IDP after the authnrequest? My only tool so far is using the Network in Chrome Dev Tools. Our agency won't allow third party extensions and even fiddler won't work in our environment to spy all requests. :(

I feel like I am really close to this working. I even see in my apache ssl_access_log (in debug mode) the NameIDFormat in each line of the log after the postResponse request.

Any assistance with this issue would be greatly appreciated and I look forward to hearing any troubleshooting tips you could provide. :)

Hi, I recently found that Cookies mod_auth_mellon produces always have domain attribute, regardless of specifying MellonCookieDomain or not.

While I was setting up my new server as SP, I faced a problem where redirect loop occurred after login. The cause was that the browser had a Cookie with same name with different domain, e.g. example.org here, and my new server was like myapp.example.org, so mod_auth_mellon couldn't receive the correct Cookie. I solved it with setting MellonVariable so that the name of Cookie didn't collide.

Now, I think it would be nicer if mod_auth_mellon could produce HostOnly Cookies. Right now, Cookies from example.org are also sent to myapp.example.org. This could be a security problem. How about making this configurable by new directive MellonCookieHostOnly On? If this setting is done, MellonCookieDomain will be ignored.

When using the diagnostic log to track down problems with an IdP, I found that it would benefit from having time stamps written to the log, somewhere around here:

Hello together,
im trying to get mellon and adfs work together but im stuck in an redirection loop.

I enabled MellonDiagnosticsEnable On and in the log it says that the cookietest is not found but the cookie get´s send to the server with the value cookietest.

entry mellon_diagnostics https://pastebin.com/BvHZfSLN
entry saml_traver https://pastebin.com/nUnM6KjR
global mellon_config => apache2

MellonCacheSize 100
MellonLockFile /var/run/mod_auth_mellon.lock
MellonPostTTL 900
MellonPostSize 1073741824
MellonPostCount 100
MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"
MellonDiagnosticsFile /var/log/mellon_diagnostics
MellonDiagnosticsEnable On

director mellon_config => apache2

<Location /wws/sso_login/institut>
    MellonEnable "auth"
    Require valid-user
    AuthType "Mellon"
    MellonVariable "sympa"
    MellonSecureCookie On
    MellonCookieSameSite None

    MellonSPPrivateKeyFile /etc/apache2/mellon/urn_site.example.org.key
    MellonSPCertFile /etc/apache2/mellon/urn_site.example.org.cert
    MellonSPMetadataFile /etc/apache2/mellon/urn_site.example.org.xml
    MellonIdPMetadataFile /etc/apache2/mellon/FederationMetadata.xml
    MellonMergeEnvVars On ":"
    MellonEndpointPath /wws/sso_login/institut/endpoint
    MellonPostReplay on
</Location>

Hello

I've the follwowing issue while running mod_auth_mellon against an Enterprise ADFS. I understand this here isnt a support forum, but I had no luck to login and subscribing to https://sympa.uninett.no/lists/uninett.no/subscribe/modmellon. The error I enconter while trying to subsribe is " ERROR (subscribe) - Authorization rejected. Maybe you forgot to log in? ". However, I can say, that I am already registered and logged in.

Back to my issue with mod_auth_mellon:
I already configured SP and (together with my colleage responsible for ADFS configuration) IdP. Now, when testing the SSO I can see following error:

[APLOG_ERR auth_mellon_handler.c:2203] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"

According to this guide https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html#web_sso_flow I am failing at step 4 (IdP responds with embedded in form...)

Before presenting more details, please guide me:

1. Where is correct place to post that issue ?
2. How to properly subscribe: (-> https://sympa.uninett.no/lists/uninett.no/subscribe/modmellon)
3. Which details to provide in order to further analyse and understand the isssue.

Regards
Marian

Edit1:
Versions:
mod_auth_mellon: latest (master branch)
lasso: 2.5.99
httpd: 2.4.34

Hi, would you be so kind to explain me is it possible not to have HTTP 303 redirect after HTTP GET to some resource protected by auth_mellon, but instead to just send HTT200 with autosubmit form in Response. Shibboleth and other SAML SSO SP does in this way. Why is this different, can it be configured not to do 303 redirect?

Shibboleth;

Shibboleth Response header

Kind Regards,
Goran.

need support for making an auth request with a login_hint param in a flow where there are multiple IDPs configured and IDPDiscoveryUrl page is being used to select the IDP based on a username.

Example Scenario:

1. User accesses the application.
2. User is redirected to a login page containing a text field, which is also configured as IDPDiscoveryUrl page.
3. User enters a username and clicks 'next' button.
4. User is redirected to appropriate IDP for auth based on the entered username. ex. If username entered is a numeric id, user is redirected to one IDP for auth, but if it's an email id, user gets redirected to another IDP.

This flow is currently possible with mellon, but only issue is the redundancy of entering a username twice, first at the IDP selection and then at IDPs auth page as there is no way to make use of the login_hint url param that IDPs support( i know of Google Identity and Microsoft identity platform)

If I use mod_ruid2, I cannot use mod_auth_mellon, as global cache locks result in permission denied like this:
[Mon May 25 09:46:22.065689 2020] [auth_mellon:error] [pid 12952] apr_global_mutex_lock() failed [13]: Permission denied

It's because the lock is created by www-data process, but a child runs under ruid's specified uid.

Is there a way to fix it?

Hi,
In the documentation it said for MellonEnable "Auth":

        #           There is a special handling of AJAX requests, that are
        #           identified by the "X-Requested-With: XMLHttpRequest" HTTP
        #           header. Since no user interaction can happen there,
        #           we always fail unauthenticated (not logged in) requests
        #           with a 403 Forbidden error without redirecting to the IdP.

Looking at the code in auth_mellon_handler.c:

        if(session == NULL || !session->logged_in) {
            /* We don't have a valid session. */

            // ...

            /*
             * If this is an AJAX request, we cannot proceed to the IdP,
             * Just fail early to save our resources
             */
            ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
            if (ajax_header != NULL &&
                strcmp(ajax_header, "XMLHttpRequest") == 0) {
                    AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
                      "Deny unauthenticated X-Requested-With XMLHttpRequest "
                      "(AJAX) request");
                    return HTTP_FORBIDDEN;
            }

My problem comes from HTTP_FORBIDDEN.
As far as i understand, if we reach the test for X-Requested-With header, it means we don't have a valid session, it means we are not authenticated.
AFAIK there is a semantic issue as forbidden means that we are authenticated still we can't go further. We should have a 401 status code and not a 403.
Having a 403 status code while being not authenticated is not good as it is difficult to split between real 403 (authorized but not allowed) and fake 403 (unauthorized).

For what i can tell, changing the return HTTP_FORBIDDEN to something like return HTTP_UNAUTHORIZED should do (still i have no idea where those constants are coming from, my days as a C developer are long gone =D)

Hello,

I was so happy because finally got working with SAML 2.0 using mod_auth_mellon on apache proxies.
Everything works fine but when putting redirection rule in vhost file then I having some issue.. IdP URL is going to infinite loop Request-URI Too Long

Context:
The Application is behind a reverse proxy running inside an apache into an EC2 instance that is pointed by a LB.

So:

FQDN --> LB --> EC2(httpd+mod_mellon) --> jira
My Apache CFG:

<VirtualHost *:443>
    ServerName jira-application.com
    ProxyRequests Off
    ProxyVia Off
    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl-certs/jira-application.com.cer
    SSLCertificateKeyFile /etc/httpd/ssl-certs/jira-application.com.key
    SSLCertificateChainFile /etc/httpd/ssl-certs/jira-application.com.intermediates-root.cer
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly
    ################PING SAML BASE SSO AUTHENTICATION##########################
    Includeoptional /etc/httpd/mellon/jira-application.com/jira-application.com.conf
  <Proxy *>
         Require all granted
    </Proxy>
    ProxyPass /jira2 ajp://xx.xx.xx.xx:8009/jira2 timeout=300
    ProxyPassReverse /jira2 ajp://xx.xx.xx.xx:8009/jira2

    ProxyPass /confluence2 ajp://xx.xx.xx.xx:8009/confluence2 timeout=300
    ProxyPassReverse /confluence2 ajp://xx.xx.xx.xx:8009/confluence2

    Redirect "/" "https://jira-application.com/jira2/"     #### This redirection is not working with mellon module giving some error IdP URL is going to infinite loop Request-URI Too Long
     KeepAlive On
    KeepAliveTimeout 15
</VirtualHost>

SAML SP CFG

<location />
MellonEnable "info"
MellonEndpointPath "/mellon"
MellonSecureCookie On
MellonUser "LOGIN"
MellonIdP "IDP"
MellonDefaultLoginPath "/"
MellonSessionDump on
MellonVariable "cookie"
MellonSessionLength 86400

#Default SP and ID metadata files to protect every URL which is not integrate in SSO insted of access give error means URL is not integrate, For integration create SP metadata file and make change SAML configuration
MellonSPPrivateKeyFile /etc/httpd/mellon/jira-application.com/jira-application.com.key
MellonSPCertFile /etc/httpd/mellon/jira-application.com/jira-application.com.cert
MellonSPMetadataFile /etc/httpd/mellon/jira-application.com/jira-application.com.xml
MellonIdPMetadataFile /etc/httpd/mellon/jira-application.com/pingIdP.xml

###### Header forword to backend application##############################
    RequestHeader unset LOGIN
    RequestHeader unset USERNAME
    RequestHeader unset EMAIL
    RequestHeader unset FIRSTNAME
    RequestHeader unset LASTNAME

    RequestHeader set LOGIN "%{MELLON_login}e" env=MELLON_login
    RequestHeader set USERNAME "%{MELLON_username}e" env=MELLON_username
    RequestHeader set EMAIL "%{MELLON_email}e" env=MELLON_email
    RequestHeader set FIRSTNAME "%{MELLON_firstname}e" env=MELLON_firstname
    RequestHeader set LASTNAME "%{MELLON_lastname}e" env=MELLON_lastname
</Location>
<Location />
        MellonEnable "auth"
</Location>

I have migrated to the latest version, however now my SAML authentication fails. Is there anything specific I need to change to ensure I can get up and running.

From what I can tell from the logs, my IDP is responding with SAML Request signature validation failed: Error during signature verification

Any ideas?

Hello, developers. (@simo5 , @thijskh ...)can you help me confirm one thing. Is there any version of mellons to run in Windows or Solaris?

Currently my system works in windows server, I want to use mellon to realize authentication. So is there good suggestion to tell me how can I do?

Thanks.

With the CVE fixed, I propose we release 0.18.0

@simo5 @thijskh WDYT?

In cases where there are multiple IdPs, it would be nice to be able to specify a default IdP entity ID to use when one is not explicitly set.

Currently, am_first_idp doesn't always return the first IdP specified in the configuration. It calls g_hash_table_get_keys to get the server keys and I believe the ordering of the result is not defined.

Would it be possible to have a MellonDefaultIdP option, or can this only be done using a discovery URL?

Thanks
Vittal

It is recorded in the error log.

[Fri Sep 18 03:31:51.544799 2020] [mpm_prefork:notice] [pid 1] AH00171: Graceful restart requested, doing restart
[Fri Sep 18 03:31:51.564763 2020] [auth_mellon:error] [pid 3186] [client 127.0.0.1:55440] apr_global_mutex_lock() failed [22]: Invalid argument

Mutex freed by parent process during gracefull restart but child process still in process.
struct am_mod_cfg_rec can't be reused. I think the specified pool is incorrect.

Steps to reproduce

1. Log in to IdP (get a mellon session)
2. ab -n 10000 -c 20 -C mellon-cookie=[sessionid] https://example.co.jp:10001/test.html
3. kill -s USR1 [httpd pid]

Steps to reproduce:

1. Go to https://echodata.epa.gov/echogov/test.print_hello. This URL is protected with MellonEnable auth, as shown in our full configuration below.

What should happen: Get redirected to our SAML login URL (https://echodata.epa.gov/saml/login?ReturnTo=/echogov/test.print_hello), or maybe directly to the IdP's login URL.

What does happen: 401 Unauthorized.

Notes: The User Guide says, "If [the user] isn't authenticated then Mellon will redirect to the login page of the configured IdP." But this isn't happening.

Are we doing something wrong? Our full mod_auth_mellon configuration is below. We're using mod_auth_mellon 0.14.0-9.el7_9 in RHEL7.

Thanks, Andrew

MellonCacheSize 100
MellonLockFile "/run/mod_auth_mellon/lock"
MellonPostDirectory "/var/cache/httpd/mod_auth_mellon/postdata"
MellonPostCount 1000

<Location />
  Require all denied
  MellonEnable info
  MellonEndpointPath /saml/
  MellonSessionLength 900
  MellonCookieDomain epa.gov
  MellonSecureCookie on
  MellonCookieSameSite Strict
  MellonSPPrivateKeyFile key.pem
  MellonSPCertFile       crt.pem
  MellonIdPMetadataFile  idp-metadata.xml
  MellonIdP IDP
  MellonUser uid
</Location>

<Location /saml>
    Require all granted
</Location>
 
<Location /echogov>
  <LimitExcept OPTIONS>
    Require valid-user
    AuthType mellon
    MellonEnable auth
    MellonCond memberof (^|,)echogov(,|$) [REG]
  </LimitExcept>
  <Limit OPTIONS>
    Require all granted
    AuthType mellon
    MellonEnable info
  </Limit>
</Location>

Hello,

I'm planning to implement mod_auth_mellon for SAML base authentication on apache reverse proxy but we have 100+ URLs to migrate on SAML SSO authentication but instated of multiple SP metadata file, Shall we use single metadata(means wild card SP metadata) file ?
Is it possible in Mellon? Please help me on this

My IdMS by default only signs the entire SAML response but does not sign the assertion within the response. Does mellon require a signed assertion? If so, is there are way to toggle that?

I'm getting this when receiving the assertion in the mellon diagnostics.. The assertion appears to be correctly decrypted because I can see the principal's attributes in the mellon diagnostics.

[APLOG_ERR auth_mellon_handler.c:2203] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"
thanks ahead of time!

After having setup mod_auth_mellon in combination with an IdP that requires (and is reflected in metadata of the IdP with WantAuthnRequestsSigned="true") signed authentication requests.

I cannot seem to get a signed request configured in the module.

Certificate/key check out, and i can verify them being correctly read with the mellon_diagnostics, still i cant get the module to sign the request,

Env :

• CentOS 8
• httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64
• mod_auth_mellon-0.14.0-11.el8.x86_64
• mod_auth_mellon-diagnostics-0.14.0-11.el8.x86_64

httpd conf :

`
<Location / >
MellonEnable info
MellonEndpointPath /mellon/
MellonSPentityId "https://monitor.hostname.nl/mellon/metadata"
MellonSPCertFile /etc/httpd/saml2/certificate.crt
MellonSPPrivateKeyFile /etc/httpd/saml2/certificate.key
MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
MellonOrganizationName "nl" "MyOrg"
MellonOrganizationURL "nl" "https://www.myorg.nl"
MellonOrganizationDisplayName "nl" "MyOrg"
MellonVariable "cookie"
MellonSecureCookie On
MellonCookiePath /
MellonCookieSameSite lax
MellonUser "user_id"
MellonSetEnvNoPrefix "user_id" "user_id"

<Location /myorg >
AuthType Mellon
MellonEnable auth
Require valid-user

`

So am i missing something here, or have i misconfigured .. i cant seem to determine why my authnrequest is not signed ?

Stuff tried so far :

• the certificate/key i am using is a wildcard/signed/payed certificate (Sectigo)
• the certificate/key have also been converted to PEM format ( and without) --> no change was seen in either cases

(This may be a general SAML question, my apologies. I'm not getting a lot of assistance from my IdP)

My IdP signs the SAML assertion. In mellon diagnostics I can see that the assertion is decrypted because I see the principal's attributes, but it fails signature verification with [APLOG_ERR auth_mellon_handler.c:2203] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"

My question - what cert does mellon use to verify the signature? Is it from the system key chain or from the IdP's metadata?

Thanks ahead of time!

Hi,

I'm using Apache + Mellon as a reverse proxy (SP) in front of a web app. Everything works fine except logging out. When a user wants to logout, they send a GET request to https://10.236.90.134/sso/logout?ReturnTo=https%3A%2F%2Fwww.example.com%2Fblahblah%2F but they get a 400 Bad request response with the following error:

Unable to process logout response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"

The users are actually logged out, this does work. However they get an error page on screen instead of a redirect to the ReturnTo url.

Versions:

• one Docker container with Ubuntu 20.04, Apache 2.4 and liblasso3 2.6.0
• another container with SimpleSamlPhp IDP 1.15

IDP metadata

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://10.236.90.134:8123/simplesaml/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.236.90.134:8123/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.236.90.134:8123/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

SP metadata

<EntityDescriptor entityID="https://10.236.90.134" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIICtzCCAZ8CFEUtASYLIccb5sAB93TDjxfzgRgwMA0GCSqGSIb3DQEBCwUAMBgx
FjAUBgNVBAMMDTEwLjIzNi45MC4xMzQwHhcNMjEwMjE2MjI0MTA4WhcNMzEwMjE2
MjI0MTA4WjAYMRYwFAYDVQQDDA0xMC4yMzYuOTAuMTM0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqrQWOmHNK0eR1s5UrBHMUYTEcKF4eZFv/duJx9I0
d7DOpOPfuurMM0xP9RqPdjlQUUshbrRj6aCdfI3WSqG11slTr1J5tPzE6TizqfwX
K3AhRPBYPEfHFdeRPXSInfL41dSXvnT6qqZRKdBUxgMPgW3SN3eZycltFnByevCb
DhxLn9gt3WyOKmgZqItH9gnl3r5H8UAALXOyFj6kvfZTktEwDyGqKoZ1Dobk3fEf
RbgzLTz4yDI+A/o1LyVSR3BJ+nIDTxDFFlAT+H4/nBvdV1InerE00HqV8kDPog1i
C8pv9aX/nqVGTDMbcfravfhKnPSa48m2DTj/JR9NNZu9kwIDAQABMA0GCSqGSIb3
DQEBCwUAA4IBAQBJ9kR0ix6vWgGsXJE/QzQcJPZsXYao6N40K1P/I+N0+LF8jqEx
cpdHddc8XMrMaqY7G/mNqLSneIz81ly2/BTq0n0YgVX+lVTEnB+bZ1nassjDZktJ
BCfHEKRVEgQzA+FMzqfUgBx80I1LWJXx78J4m1CKOq8IOJ2k1/b3jKJzuBkxaJr4
uV3N48e9y+p3ydvZocOlOSX9GHkfzNm6fkFpQKNE8eqRYukXh5YCLsyCxV8goIF8
tfq8IqJFH8Y90nMmoPr0E5JaZfuM3FDiYhzcKYh63TPUjEdbTUHv//TuTqKTYdcV
ljKRgBy0i4+ytEoB+ktWt3ZZjbbVPIOOOzmR</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.236.90.134/sso/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.236.90.134/sso/postResponse" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

Mellon configuration

    <Location />
        Require                valid-user
        MellonEnable           auth
        MellonEndpointPath     /sso
        MellonIdPMetadataFile  /etc/apache2/mellon/idp-metadata.xml
        MellonSPMetadataFile   /etc/apache2/mellon/sp-metadata.xml
        MellonSPCertFile       /etc/apache2/mellon/sp-certificate.cert
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp-private-key.key
        MellonRedirectDomains  [self] www.example.com
    </Location>

Logout request XML

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="_7378E171F2A71FB7AEB2FAF3764C6E35"
                     Version="2.0"
                     IssueInstant="2021-02-17T08:53:57Z"
                     Destination="http://10.236.90.134:8123/simplesaml/saml2/idp/SingleLogoutService.php"
                     >
    <saml:Issuer>https://10.236.90.134</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                 SPNameQualifier="https://10.236.90.134"
                 >_03c98b70c14a9ba9e88f42dc1d359a97f09c55ff5b</saml:NameID>
    <samlp:SessionIndex>_59f7f23c30d907331f2a2b6ddb2b5f70d08bb78c6e</samlp:SessionIndex>
</samlp:LogoutRequest>

Logout response XML

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      ID="_1ac897f9735bbfc50558d28358c67533dee94e951b"
                      Version="2.0"
                      IssueInstant="2021-02-17T08:53:57Z"
                      Destination="https://10.236.90.134/sso/logout"
                      InResponseTo="_7378E171F2A71FB7AEB2FAF3764C6E35"
                      >
    <saml:Issuer>http://10.236.90.134:8123/simplesaml/saml2/idp/metadata.php</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>

Hi,

I have tried to use cronolog for MellonDiagnosticsFile file, like:

MellonDiagnosticsFile    "|/usr/local/sbin/cronolog /var/log/mellon-diag.%Y%m%d.log"

like is already used for CustomLog and ErrorLog directives (apache 2.4). Unfortunately, mod_auth_mellon throws error:

(2)No such file or directory: could not open mellon diagnostics log file /usr/local/apache/|/usr/local/sbin/cronolog /var/log/mellon-diag.%Y%m%d.log

So, my questions is: how to use piped program? Seems module adds/uses value of ServerRoot variable as prefix.

Thanks in advance:

P.S: Documentation says:

# If the value is preceeded by the pipe character "|" it should be followed
# by a path to a program to receive the log information on its standard input.

Discussed in #83

I am having trouble using values that are returned from Azure after a successful SAML authentication.

I've created a simple PHP script found in the documentation to see the Mellon environment variables. Here are a few sample lines of that output:

MELLON_NAME_ID=Abcde12345/AbCdEfGhIjKlMnOp1234567890123456=
MELLON_IDP=https://sts.windows.net/1234abcd-12ab-12ab-12ab-0123456789ab/
MELLON_http://schemas_xmlsoap_org/ws/2005/05/identity/claims/[email protected]

I need to set one value from these claim to another header "X-Remote-User". It seems that I cannot use the values from the claims which have "URLs" in their key names.

I can do this:
RequestHeader set X-Remote-User %{MELLON_IDP}e

But this does not work, I will get the value "(null)":
RequestHeader set X-Remote-User %{MELLON_http://schemas_xmlsoap_org/ws/2005/05/identity/claims/emailaddress}e

I've tried to use MellonSetEnv like:
MellonSetEnv "EMAIL" "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/emailaddress"
But I still can only get a "(null)" string in X-Remote-User. What am I doing wrong? Or could this be a bug somehow? Even when I use MellonSetEnv, it seems that the environment variable never gets created - I cannot see it in any PHP server variable.

Either travis or anything else that will do the job really, any takers ?

[Wed Mar 17 13:16:53.658967 2021] [auth_mellon:crit] [pid 10:tid 140046811088000] (22)Invalid argument: Failed to set permissions on session table lock; check User and Group directives [Wed Mar 17 13:16:53.658996 2021] [:emerg] [pid 10:tid 140046811088000] AH00020: Configuration Failed, exiting [Wed Mar 17 13:16:53.659990 2021] [unixd:alert] [pid 12:tid 140046811088000] AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive

Should I be running with a User and Group other than the default?
User: name="#-1" id=4294967295 Group: name="#-1" id=4294967295

Hello everyone,

I would like you to help my with something that I think is straightforward but I haven't been able to do it, I need to expose some mellon environmental variables comming from the idp to my node js backend in request header with RequestHeader, This is what I did in my config file regarding mellon:

       <Location />
            # Add information from the mod_auth_mellon session to the request.
            MellonEnable "info"
            # MellonSessionLength 120
            # Configure the SP metadata
            # This should be the files which were created when creating SP metadata.
            MellonSPPrivateKeyFile /etc/apache2/mellon/http_XXXXXXX_saml.key

            MellonSPCertFile /etc/apache2/mellon/http_XXXXXXX_saml.cert
            MellonSPMetadataFile /etc/apache2/mellon/http_XXXXXXX_saml.xml

            # IdP metadata. This should be the metadata file you got from the IdP.
            MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml

            MellonSamlResponseDump On
            MellonIDP "IDP"
            MellonSetEnv "username" "username"

            RequestHeader set MELLON_name "%{MELLON_name}e"
            RequestHeader set MELLON_emailaddress "%{MELLON_emailaddress}e"

            # The location all endpoints should be located under.
            # It is the URL to this location that is used as the second parameter to the metadata generation script.
            # This path is relative to the root of the web server.
            MellonEndpointPath /callback
    </Location>

    # This is a location that will trigger authentication when requested.
    <Location />
          # This location will trigger an authentication request to the IdP.
            MellonEnable "auth"
    </Location>

I can see the variables in node js after setting in the config file, but they have the value "(null)", all the process of federating is working pretty well, but this part of my backend knows the attributes has been really difficult, please advice.

Thank you very much.

Jhon Jairo.

Hello, mod_auth_mellon developer. I want to share a session between multiple Apache, does mod_auth_mellon have a session sharing feature? For example, it stores the session to file, memcached, and redis, so that users can authenticate through server A, and then pass through server B without having to authenticate again.

Hello,

we have configured our Apache using the mellon auth to use samle2.0 in our company.

Our test index page is redirected successfully after authentication in Edge. However, in IE11 which is used heavily in our company returns bad request error. The SSL error log says “User has disabled cookies or has lost the cookie before returning from SAML2.0 login server. Referer:[a web page]

I have used the developer tool network tab in IE and saw that mellon-cookie is set to cookietest at some point and never set to a session id later. The communication is stuck at the postResponse endpoint.

Please help. Thanks!

Hello,

I have hosted multiple URLs on apache server and help of mellon protect all URLs but earlier I have tested with single URL and working fine.
But 2nd scenarios is that I need to protect all URLs with single metadata file of IdP and getting error such as "Bad Request" for new add URL.
Does mellon module support for multiple URL to protect with single metadata file of IdP ?