libapache2-mod-auth-mellonΒΆ
This is a SAML client, to connect to an SAML Identity Provider e.g. SimpleSAMLphp. It uses the lasso library.
Test install for bullseye/buster/stretch:
apt install libapache2-mod-auth-mellon apache2 ssl-cert
# https://github.com/latchset/mod_auth_mellon/
cat <<'EOF' >> /etc/apache2/mods-enabled/auth_mellon.conf
<Location /secret>
Require valid-user
AuthType "Mellon"
MellonEnable "auth"
MellonUser "uid"
#MellonRequire "eduPersonAffiliation" "employee"
MellonEndpointPath "/secret/endpoint"
MellonSPPrivateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
MellonSPCertFile /etc/ssl/certs/ssl-cert-snakeoil.pem
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
# debug
MellonSamlResponseDump On
MellonSessionDump On
AddHandler cgi-script .cgi
Options +ExecCGI
</Location>
EOF
# Install your IdP's metadata in /etc/apache2/mellon/idp-metadata.xml
# For SimpleSAMPLphp, get it from Federation > Show metadata
service apache2 restart
curl http://$(hostname -f)/secret/endpoint/metadata
# Register this metadata in your IdP
# For SimpleSAMLphp, copy-paste it in Federation > Tools > XML to
# SimpleSAMLphp metadata converter, and add the result to
# /etc/simplesamlphp/metadata/saml20-sp-remote.php
# Quick debug page
mkdir /var/www/html/secret/
cat <<'EOF' > /var/www/html/secret/index.cgi
#!/bin/bash
echo "Content-Type: text/html"
echo
echo "Welcome $REMOTE_USER"
echo "<a href='endpoint/logout?ReturnTo=/'>logout</a>"
echo "<pre>"
env
echo "</pre>"
EOF
chmod 755 /var/www/html/secret/index.cgi
a2enmod cgid
service apache2 restart
# http://localhost/secret/
The logout link sends an error (apache2/error.log mentions an
issue with signature) but does log out.
Copyright (C) 2025 Sylvain Beucler