<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UdASAVOkta Classic EngineOkta Integration NetworkAnswered2024-04-17T12:26:53.000Z2017-03-01T22:43:33.000Z2018-01-23T16:23:42.000Z

d71yu (d71yu) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Setting up mod_auth_mellon with Okta SAML
I'm trying to set up SAML authentication to an internal Apache2 web server.  I've set up a basic SAML app in Okta with Single sign on URL: http://192.168.14.130/ and Audience URI (SP Entity ID): http://192.168.14.130/okta.  My one enabled Apache site is the default 000-default.conf with the following added to the beginning:

<Location />

    Require valid-user

    AuthType "Mellon"

    MellonEnable "auth"

    MellonDecoder "none"

    MellonVariable "cookie"

    MellonSecureCookie On

    MellonUser "NAME_ID"

    MellonSetEnv "e-mail" "mail"

    MellonEndpointPath "/endpoint"

    MellonDefaultLoginPath "/"

    MellonSessionLength 300

    MellonSPPrivateKeyFile /etc/apache2/mellon/http_192.168.14.130_okta.key

    MellonSPCertFile /etc/apache2/mellon/http_192.168.14.130_okta.cert

    MellonIdPMetadataFile /etc/apache2/mellon/metadata

    MellonSamlResponseDump On

    MellonSessionDump On

</Location>

 

When I attempt to access http://192.168.14.130, I get a redirect loop.  Can anyone give me any direction in getting this set up correctly?
  • 6 answers
  • 8.34K views

  • kyle.andersen1.4689711248409836E12 (Okta, Inc.)

    Matt,

     

    I would recommend looking at SAML Tracer (Firefox Addon) to determine what is being sent in your assertion and compare it to what you're expecting. Although Okta Support can't directly help setup your custom site, we can help in troubleshooting if you would like to open a support case (both in the setup of the Okta application and reviewing the Okta logs, which could point to the problem you're experiencing). If you're looking for assistance in setting this custom site up, bring that up in the support case and we can make sure to direct that request to the correct teams.

     

    Thank You,

    Kyle Andersen

    Okta Global Customer Care
    Expand Post

  • z0opa (z0opa)

    Matt Weber, did you ever get this sorted out and working properly?   If so, can you share your final configuration?

  • d71yu (d71yu)

    I did!  It turned out to be the configuration on the Okta end that I didn't quite have right.  My apache config is mostly the same:

    <Location />

        Require valid-user

        AuthType "Mellon"

        MellonEnable "auth"

        MellonVariable "cookie"

        #MellonSecureCookie On

        MellonCookiePath /

        MellonUser "NAME_ID"

        MellonSessionDump Off

        MellonSamlResponseDump Off

        MellonEndpointPath "/endpoint"

        MellonDefaultLoginPath "/"

        MellonSessionLength 43200

        MellonSPPrivateKeyFile /etc/apache2/mellon/mellon.key

        MellonSPCertFile /etc/apache2/mellon/mellon.cert

        MellonIdPMetadataFile /etc/apache2/mellon/metadata

        MellonRedirectDomains [self] myorg.okta.com

    </Location>

     

    The MellonRedirectDomains line is the only change that I think is really important here.  The Okta configuration ended up looking like this:

    Single sign on URL: https://mysite/endpoint/postResponse

    Audience URI: https://mysite/endpoint/metadata

     

    I think that's all of the relevant information
    Expand Post

  • PeterP.41491 (Customer)

    Matt, hope all is well! I am running into the same loop issue.  Tried all of your settings, but the issue is still the same.  What parameters did you provide to "mellon_create_metadata.sh" script?

  • d71yu (d71yu)

    I'm having a little trouble tracking down exactly what arguments I used for that, but from what I can remember I don't think it matters much.  All that script does is create the cert and key files and the SP metadata.  I believe I got rid of the metadata file, because all it does is specify some of the settings that you can set in the Apache config.  The script takes entity ID and endpoint URL as its arguments, so for the config I posted above, I think the correct command line is:

    mellon_create_metadata.sh https://mysite/okta https://mysite/endpoint

    I strongly suspect your issue is somewhere else though.  If you want to post your apache config and the arguments in your Okta app config, I'd be happy to see if I could spot the issue.
    Expand Post

  • PeterP.41491 (Customer)

    Matt - I beleive i just got it to work!  I recreated the app in Okta and double checked your settings.  I also commented out the xml created by the mellon_create_metadata.sh (per your recommendation).  In my case, just like you, i'm trying to secure the whole site (Location /), so my httpd.conf (RHEL) is very similar to yours.  Okta app settings are 100% the same.

     

    <Location />

        Require valid-user

        AuthType "Mellon"

        MellonEnable "auth"

        MellonVariable "cookie"

    #    MellonSecureCookie On

        MellonCookiePath /

        MellonUser "NAME_ID"

        MellonSessionDump Off

        MellonSamlResponseDump Off

        MellonEndpointPath "/endpoint"

        MellonDefaultLoginPath "/"

        MellonSessionLength 43200

        MellonSPPrivateKeyFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.key

        MellonSPCertFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.cert

    #    MellonSPMetadataFile /etc/httpd/mellon/http_hostname.example.local_fsd855d.xml

        MellonIdPMetadataFile /etc/httpd/mellon/idp-metadata.xml

    #    MellonSamlResponseDump On

    #    MellonSessionDump On

        MellonRedirectDomains [self] dev-XXXXXX.oktapreview.com

    </Location>

     

    One more thing if anyone tries to run this on RHEL7.  The current version of mod_auth_mellon that ships with this distro, as of today, only includes v0.11.  MellonRedirectDomains directive has only been implemented in v0.12 and above, so you'll need to compile this module from souce.  Hopefully sometime in the future RedHat will update this module in their repos so that won't be the case, but until then, use the README that has all the compile instructions and deps.

     

    Matt - huge thanks for your help and starting this thread! 

    Expand Post
This question is closed.
Loading
Setting up mod_auth_mellon with Okta SAML