==========================
libapache2-mod-auth-mellon
==========================

This is a SAML client, to connect to an SAML Identity Provider
e.g. :doc:`simplesamlphp`. It uses the :doc:`lasso` library.

Test install for bullseye/buster/stretch:

.. code-block:: bash

  apt install libapache2-mod-auth-mellon apache2 ssl-cert

  # https://github.com/latchset/mod_auth_mellon/
  cat <<'EOF' >> /etc/apache2/mods-enabled/auth_mellon.conf
  <Location /secret>
          Require valid-user
          AuthType "Mellon"
          MellonEnable "auth"
          MellonUser "uid"
          #MellonRequire "eduPersonAffiliation" "employee"
          MellonEndpointPath "/secret/endpoint"
          MellonSPPrivateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
          MellonSPCertFile /etc/ssl/certs/ssl-cert-snakeoil.pem
          MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
          # debug
          MellonSamlResponseDump On
          MellonSessionDump On
          AddHandler cgi-script .cgi
          Options +ExecCGI
  </Location>
  EOF

  # Install your IdP's metadata in /etc/apache2/mellon/idp-metadata.xml
  # For SimpleSAMPLphp, get it from Federation > Show metadata
  service apache2 restart
  curl http://$(hostname -f)/secret/endpoint/metadata

  # Register this metadata in your IdP
  # For SimpleSAMLphp, copy-paste it in Federation > Tools > XML to
  # SimpleSAMLphp metadata converter, and add the result to
  # /etc/simplesamlphp/metadata/saml20-sp-remote.php

  # Quick debug page
  mkdir /var/www/html/secret/
  cat <<'EOF' > /var/www/html/secret/index.cgi
  #!/bin/bash
  echo "Content-Type: text/html"
  echo
  echo "Welcome $REMOTE_USER"
  echo "<a href='endpoint/logout?ReturnTo=/'>logout</a>"
  echo "<pre>"
  env
  echo "</pre>"
  EOF
  chmod 755 /var/www/html/secret/index.cgi
  a2enmod cgid
  service apache2 restart

  # http://localhost/secret/

The logout link sends an error (``apache2/error.log`` mentions an
issue with signature) but does log out.


| Copyright (C) 2025  Sylvain Beucler