I am trying to get a test working with Apache and the Mellon SAML module.
The configuration that I am trying to get to work basically is what is described in:
https://jdennis.fedorapeople.org/doc/mellon-install/mellon-install-guide.html
except that I am using a different DNS domain name for the base domain (jlfoo.com).
Like that page above, I am trying to protect "/private".
The problem(s) I am seeing is that when I test, I am not getting a login page at all... the browser just goes to an "Unauthorized" page.
When I look in the logs, I see 2 errors:
a) Mon Mar 17 09:36:40.822699 2025] [auth_mellon:error] [pid 15715:tid 15795] [client 100.36.177.53:55700] Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Requester", StatusCode2="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy", StatusMessage="(null)", referer: https://idcs-697d8bc1d228424cb0f6b7b9fa1f015a.identity.oraclecloud.com/
and:
b) [Mon Mar 17 09:37:16.194532 2025] [auth_mellon:error] [pid 15715:tid 15785] [client 100.36.177.53:55710] Endpoint "index.html" not handled by mod_auth_mellon.
Here's my mellon.conf file (which I "include" in the Apache httpd.conf):
<Location / >
MellonEnable info
MellonEndpointPath /mellon/
MellonSPMetadataFile /apps/httpd2.4/conf/mellon/https_apachesaml01.jlfoo.com_mellon_metadata.xml
MellonSPPrivateKeyFile /apps/httpd2.4/conf/mellon/https_apachesaml01.jlfoo.com_mellon_metadata.key
MellonSPCertFile /apps/httpd2.4/conf/mellon/https_apachesaml01.jlfoo.com_mellon_metadata.cert
MellonIdPMetadataFile /apps/httpd2.4/conf/mellon/IDCSMetadata.xml
MellonIdPPublicKeyFile /apps/httpd2.4/conf/mellon/IDCSCertificate.pem
</Location>
<Location /private >
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
I know that the mod_auth_mellon is old and, I think, is not being supported any more but I was hoping someone here might be familiar with it and give me some hints about what to look for?
EDIT: Apologies, I forgot to include the SP metadata that I am using for the Apache/Mellon side:
[orcladmin@apachesaml01 mellon]$ cat https_apachesaml01.jlfoo.com_mellon_metadata.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://apachesaml01.jlfoo.com/mellon/metadata">
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICyTCCAbECFGiWScEOgKh+SolrnpiaYfk9H5ieMA0GCSqGSIb3DQEBCwUAMCEx
HzAdBgNVBAMMFmFwYWNoZXNhbWwwMS5qbGZvby5jb20wHhcNMjUwMzE3MTAxNDM1
WhcNMzUwMzE3MTAxNDM1WjAhMR8wHQYDVQQDDBZhcGFjaGVzYW1sMDEuamxmb28u
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqaYgpwZBYhCYFCnT
.
.
.
LH0fnonONikLaVqxrBcmlG0VBuxSEN/QC7C
/pc9Z4sB2FoeGLjviz3zOW/iIndy+Q9Nr5uRphSvq0k7oBGhfnqMArM/xgoHh6vl
Vzm4HrJPZrpEwHrmbKXi3Zq+wzTF1GIKS0pPAtSiw2xbWmJJUWAZXs+zIdvZ</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICyTCCAbECFGiWScEOgKh+SolrnpiaYfk9H5ieMA0GCSqGSIb3DQEBCwUAMCEx
HzAdBgNVBAMMFmFwYWNoZXNhbWwwMS5qbGZvby5jb20wHhcNMjUwMzE3MTAxNDM1
WhcNMzUwMzE3MTAxNDM1WjAhMR8wHQYDVQQDDBZhcGFjaGVzYW1sMDEuamxmb28u
.
.
.
NwtYvkiZzmCV85Mufiz/APZMCfxmp26be+4o8Tiy5tFN+Ii822hpB2
TPelL/jw6KI5AgYpTyEdyUML/F6emLH0fnonONikLaVqxrBcmlG0VBuxSEN/QC7C
/pc9Z4sB2FoeGLjviz3zOW/iIndy+Q9Nr5uRphSvq0k7oBGhfnqMArM/xgoHh6vl
Vzm4HrJPZrpEwHrmbKXi3Zq+wzTF1GIKS0pPAtSiw2xbWmJJUWAZXs+zIdvZ</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://apachesaml01.jlfoo.com:18443/mellon/logout"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://apachesaml01.jlfoo.com:18443/mellon/logout"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:userID</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://apachesaml01.jlfoo.com:18443/mellon/postResponse"/>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://apachesaml01.jlfoo.com:18443/mellon/artifactResponse"/>
<AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://apachesaml01.jlfoo.com:18443/mellon/paosResponse"/>
</SPSSODescriptor>
</EntityDescriptor>
SAML assertions consist of a bunch of attributes one of which is designated the "NameID" and can be provided in several different formats (some SPs expect an email address, other SPs expect it to be an internal kind of unique ID, etc).
Your SP metadata asks for the urn:oasis:names:tc:SAML:2.0:nameid-format:userID type of NameID, which is – as far as I know – not actually a standard format at all, and the Oracle IdP is rejecting it as an unrecognized type.
Try changing the <NameIDFormat> tag to one of:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedI would also suggest using Shibboleth SP3 with mod_shib. It's slightly better-maintained.