Setting up mod_auth_mellon with Okta SAML Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmu9qai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Matt WeberMatt Weber 

Setting up mod_auth_mellon with Okta SAML

I'm trying to set up SAML authentication to an internal Apache2 web server.  I've set up a basic SAML app in Okta with Single sign on URL: http://192.168.14.130/ and Audience URI (SP Entity ID): http://192.168.14.130/okta.  My one enabled Apache site is the default 000-default.conf with the following added to the beginning:
<Location />
    Require valid-user
    AuthType "Mellon"
    MellonEnable "auth"
    MellonDecoder "none"
    MellonVariable "cookie"
    MellonSecureCookie On
    MellonUser "NAME_ID"
    MellonSetEnv "e-mail" "mail"
    MellonEndpointPath "/endpoint"
    MellonDefaultLoginPath "/"
    MellonSessionLength 300
    MellonSPPrivateKeyFile /etc/apache2/mellon/http_192.168.14.130_okta.key
    MellonSPCertFile /etc/apache2/mellon/http_192.168.14.130_okta.cert
    MellonIdPMetadataFile /etc/apache2/mellon/metadata
    MellonSamlResponseDump On
    MellonSessionDump On
</Location>

When I attempt to access http://192.168.14.130, I get a redirect loop.  Can anyone give me any direction in getting this set up correctly?
Kyle AndersenKyle Andersen (Okta, Inc.)
Matt,

I would recommend looking at SAML Tracer (Firefox Addon) to determine what is being sent in your assertion and compare it to what you're expecting. Although Okta Support can't directly help setup your custom site, we can help in troubleshooting if you would like to open a support case (both in the setup of the Okta application and reviewing the Okta logs, which could point to the problem you're experiencing). If you're looking for assistance in setting this custom site up, bring that up in the support case and we can make sure to direct that request to the correct teams.

Thank You,
Kyle Andersen
Okta Global Customer Care
Jason ZiembaJason Ziemba
Matt Weber, did you ever get this sorted out and working properly?   If so, can you share your final configuration?
Matt WeberMatt Weber
I did!  It turned out to be the configuration on the Okta end that I didn't quite have right.  My apache config is mostly the same:
<Location />
    Require valid-user
    AuthType "Mellon"
    MellonEnable "auth"
    MellonVariable "cookie"
    #MellonSecureCookie On
    MellonCookiePath /
    MellonUser "NAME_ID"
    MellonSessionDump Off
    MellonSamlResponseDump Off
    MellonEndpointPath "/endpoint"
    MellonDefaultLoginPath "/"
    MellonSessionLength 43200
    MellonSPPrivateKeyFile /etc/apache2/mellon/mellon.key
    MellonSPCertFile /etc/apache2/mellon/mellon.cert
    MellonIdPMetadataFile /etc/apache2/mellon/metadata
    MellonRedirectDomains [self] myorg.okta.com
</Location>

The MellonRedirectDomains line is the only change that I think is really important here.  The Okta configuration ended up looking like this:
Single sign on URL: https://mysite/endpoint/postResponse
Audience URI: https://mysite/endpoint/metadata

I think that's all of the relevant information
Peter PodlesnyyPeter Podlesnyy
Matt, hope all is well! I am running into the same loop issue.  Tried all of your settings, but the issue is still the same.  What parameters did you provide to "mellon_create_metadata.sh" script?
Matt WeberMatt Weber
I'm having a little trouble tracking down exactly what arguments I used for that, but from what I can remember I don't think it matters much.  All that script does is create the cert and key files and the SP metadata.  I believe I got rid of the metadata file, because all it does is specify some of the settings that you can set in the Apache config.  The script takes entity ID and endpoint URL as its arguments, so for the config I posted above, I think the correct command line is:
mellon_create_metadata.sh https://mysite/okta https://mysite/endpoint
I strongly suspect your issue is somewhere else though.  If you want to post your apache config and the arguments in your Okta app config, I'd be happy to see if I could spot the issue.
Peter PodlesnyyPeter Podlesnyy
Matt - I beleive i just got it to work!  I recreated the app in Okta and double checked your settings.  I also commented out the xml created by the mellon_create_metadata.sh (per your recommendation).  In my case, just like you, i'm trying to secure the whole site (Location /), so my httpd.conf (RHEL) is very similar to yours.  Okta app settings are 100% the same.

<Location />
    Require valid-user
    AuthType "Mellon"
    MellonEnable "auth"
    MellonVariable "cookie"
#    MellonSecureCookie On
    MellonCookiePath /
    MellonUser "NAME_ID"
    MellonSessionDump Off
    MellonSamlResponseDump Off
    MellonEndpointPath "/endpoint"
    MellonDefaultLoginPath "/"
    MellonSessionLength 43200
    MellonSPPrivateKeyFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.key
    MellonSPCertFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.cert
#    MellonSPMetadataFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.xml
    MellonIdPMetadataFile /etc/httpd/mellon/idp-metadata.xml
#    MellonSamlResponseDump On
#    MellonSessionDump On
    MellonRedirectDomains [self] dev-XXXXXX.oktapreview.com
</Location>

One more thing if anyone tries to run this on RHEL7.  The current version of mod_auth_mellon that ships with this distro, as of today, only includes v0.11.  MellonRedirectDomains directive has only been implemented in v0.12 and above, so you'll need to compile this module from souce.  Hopefully sometime in the future RedHat will update this module in their repos so that won't be the case, but until then, use the README that has all the compile instructions and deps.

Matt - huge thanks for your help and starting this thread!