Page History

###########################################################################
# Global configuration for mod_auth_mellon. This configuration is shared by
# every virtual server and location in this instance of apache.
###########################################################################

# MellonCacheSize sets the maximum number of sessions which can be active
# at once. When mod_auth_mellon reaches this limit, it will begin removing
# the least recently used sessions. The server must be restarted before any
# changes to this option takes effect.
# Default: MellonCacheSize 100
MellonCacheSize 100

# MellonCacheEntrySize sets the maximum size for a single session entry in
# bytes. When mod_auth_mellon reaches this limit, it cannot store any more
# data in the session and will return an error. The minimum entry size is
# 65536 bytes, values lower than that will be ignored and the minimum will
# be used.
# Default: MellonCacheEntrySize 196608

# MellonLockFile is the full path to a file used for synchronizing access
# to the session data. The path should only be used by one instance of
# apache at a time. The server must be restarted before any changes to this
# option takes effect.
# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonLockFile "/var/run/mod_auth_mellon.lock"

# MellonPostDirectory is the full path of a directory where POST requests
# are saved during authentication. This directory must writable by the
# Apache user. It should not be writable (or readable) by other users.
# Default: None
# Example: MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"

# MellonPostTTL is the delay in seconds before a saved POST request can
# be flushed.
# Default: MellonPostTTL 900 (15 mn)
MellonPostTTL 900

# MellonPostSize is the maximum size for saved POST requests
# Default: MellonPostSize 1048576 (1 MB)
MellonPostSize 1048576

# MellonPostCount is the maximum amount of saved POST requests
# Default: MellonPostCount 100
MellonPostCount 100

###########################################################################
# MellonDiagnosticsFileEnd Ifof Mellonglobal wasconfiguration built with diagnostic capability
# then diagnostic is written here, it may be either a filename or a pipe.
# If it's a filename then the resulting path is  relative to the ServerRoot.
# If the value is preceeded by the pipe character "|" it should be followed
# by a path to a program to receive the log information on its standard input.
# This is a server context directive, hence it may be specified in the
# main server config area or within a <VirtualHost> directive.
# Default: logs/mellon_diagnostics
MellonDiagnosticsFile logs/mellon_diagnostics

# MellonDiagnosticsEnable If Mellon was built with diagnostic capability
# then this is a list of words controlling diagnostic output.
# Currently only On and Off are supported.
# This is a server context directive, hence it may be specified in the
# main server config area or within a <VirtualHost> directive.
# Default: Off
MellonDiagnosticsEnable Off

###########################################################################
# End of global configuration for mod_auth_mellon.
###########################################################################

for mod_auth_mellon.
###########################################################################

<Location />

   MellonEnable info

   MellonEndpointPath /mellon/

   MellonSPMetadataFile /etc/apache2/mellon/[your_sp]_mellon_metadata.xml

   MellonSPPrivateKeyFile /etc/apache2/mellon/https_[your_sp]_mellon_metadata.key

   MellonSPCertFile /etc/apache2/mellon/https_[your_sp]_mellon_metadata.cert

   MellonIdPMetadataFile /etc/apache2/mellon/eduTEAMS-metadata.xml

   MellonOrganizationURL "en" "mellon test for https://www.eduteams.org"

   MellonUser "urn:oasis:names:tc:SAML:attribute:subject-id"

   MellonUser "urn:oid:1.3.6.1.4.1.5923.1.1.1.13"

</Location>

<Location /private>
   AuthType Mellon
   MellonEnable auth
   Require valid-user
</Location>

Note you can also use MellonRequire to allow for access based on attributes sent for the user

You can use the directive MellonRequire within your apache <Location> directives.

MellonCond <attribute name> <value> [<options>]

eg

MellonCond "urn:oid:1.3.6.1.4.1.5923.1.1.1.13" "<your eduTEAMS identifier>@eduteams.org"

    [MELLON_NAME_ID]
    [MELLON_NAME_ID_0]
    [MELLON_urn:oid:2_16_840_1_113730_3_1_241]
    [MELLON_urn:oid:2_16_840_1_113730_3_1_241_0]
    [MELLON_urn:oid:2_5_4_4] 
    [MELLON_urn:oid:2_5_4_4_0]
    [MELLON_urn:oid:0_9_2342_19200300_100_1_3] => stephen.lovell@geant.org
    [MELLON_urn:oid:0_9_2342_19200300_100_1_3_0] => stephen.lovell@geant.org
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_11] => member@gn4-3.wp5.geant.org
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_11_0] => member@gn4-3.wp5.geant.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_6] => stephen@acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_6_0] => stephen@acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_13] => 0226a866112c6a8c42e226c31d6bf04293de6582@eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_13_0] => 0226a866112c6a8c42e226c31d6bf04293de6582@eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_6] => 0226a866112c6a8c42e226c31d6bf04293de6582@eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_6_0] => 0226a866112c6a8c42e226c31d6bf04293de6582@eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS#acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_0] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS#acc.eduteams.org
    

Note that mod_mellon will create a series of single value variables named MELLON_var_{0..n}. If MELLON_var is single valued you will see a duplicate called MELLON_var_0

If MELLON_var is multivalued, you will find all values in their own variables eg:

    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS#acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_0] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS#acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_1] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:gitlab#acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_2] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:gitlab:admin#acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_3] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:Developers#acc.eduteams.org
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_4] => urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:gitlab:audit#acc.eduteams.org

Would be the result of the following assertion:

    <ns1:Attribute FriendlyName="eduPersonEntitlement"
                   Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
# This defines a directory where mod_auth_mellon should do access control.
<Location /secret>

        # These are standard Apache apache configuration directives.
        # You must have enabled Apache's authn_core and authz_user modules.
        # See http://httpd.apache.org/docs/2.4/mod/mod_authn_core.html and
        # http://httpd.apache.org/docs/2.4/mod/mod_authz_user.html
        # about them.
        Require valid-user
        AuthType "Mellon"


        # MellonEnable is used to enable auth_mellon on a location.
        # It has three possible values: "off", "info" and "auth".
        # They have the following meanings:
        #   "off":  mod_auth_mellon will not do anything in this location.
        #           This is the default state.
        #   "info": If the user is authorized to access the resource, then
        #           we will populate the environment with information about
        #           the user. If the user isn't authorized, then we won't
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       #           populate the>
 environment, but we won't deny the user
 <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
       #           access either.
        #
   xsi:type="xs:string"
     #           You can also use this to set up the Mellon SSO paramaters
 >urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS#acc.eduteams.org</ns1:AttributeValue>
        #<ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
           transparently at the top level of your site, and then use
        #xsi:type="xs:string"
           "auth" to protect individual paths elsewhere in the site.
        #>urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:gitlab#acc.eduteams.org</ns1:AttributeValue>
   "auth": We will populate the environment with information about
<ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
           #           the user if he is authorized. If he is authenticated
 xsi:type="xs:string"
           #           (logged in), but not authorized (according to the
 >urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:gitlab:admin#acc.eduteams.org</ns1:AttributeValue>
       <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
  #           MellonRequire and MellonCond directives, then we will 
        #    xsi:type="xs:string"
       return a 403 Forbidden error. If he isn't authenticated
        #    >urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:Developers#acc.eduteams.org</ns1:AttributeValue>
       then we will redirect him to the login page of the IdP.
<ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
        #
        #           There is a special handling of AJAX requests, that are
xsi:type="xs:string"
                 #           identified by the "X-Requested-With: XMLHttpRequest" HTTP
        #           header. Since no user interaction can happen there,
        #           we always fail unauthenticated (not logged in) requests
        #           with a 403 Forbidden error without redirecting to the IdP.
        #
        # Default: MellonEnable "off"
        MellonEnable "auth"

        # MellonDecoder is an obsolete option which is a no-op but is
        # still accepted for backwards compatibility.

        # MellonVariable is used to select the name of the cookie which
        # mod_auth_mellon should use to remember the session id. If you
        # want to have different sites running on the same host, then
        # you will have to choose a different name for the cookie for each
        # site.
        # Default: "cookie"
        MellonVariable "cookie"

        # Whether the cookie set by auth_mellon should have HttpOnly and
        # secure flags set. Once "On" - both flags will be set. Values 
        # "httponly" or "secure" will respectively set only one flag.
        # Default: Off
        MellonSecureCookie On

        # MellonCookieDomain allows to specify of the cookie which auth_mellon
        # will set.
        # Default: the domain for the received request (the Host: header if
        # present, of the ServerName of the VirtualHost declaration, or if
        # absent a reverse resolution on the local IP)
        # MellonCookieDomain example.com

        # MellonCookiePath is the path of the cookie which auth_mellon will set.
        # Default: /
        MellonCookiePath /

        # MellonCookieSameSite allows control over the SameSite value used
        # for the authentication cookie.
        # The setting accepts values of "Strict", "Lax", or "None".
        # When using none, you should set "MellonSecureCookie On" to prevent
        # compatibility issues with newer browsers.
        # If not set, the SameSite attribute is not set on the cookie. In newer
        # browsers, this may cause SameSite to default to "Lax".
        # Note: Regardless of the value set here a fixed SameSite value of
        # None is used for the cookie test. The cookie test, which is performed
        # with a static value, should detect whether the user's client accepts
        # cookies or not before the auth_mellon session is established and thus
        # avoid a redirect loop. Using a fixed SameSite value of None ensures
        # that the cookie with the static value does not get lost in the
        # HTTP-POST binding request issued by the autosubmit form returned by
        # the IDP.
        # Default: not set
        # MellonCookieSameSite lax

        # Some browsers will reject cookies if SameSite is specified.
        # The MELLON_DISABLE_SAMESITE environment variable suppresses
        # setting of SameSite cookies. You can use the following directives
        # to set it.
        # BrowserMatch "\(iP.+; CPU .*OS 12[_\d]*.*\) AppleWebKit\/" MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "\(Macintosh; Intel Mac OS X 10_14_\d\) AppleWebKit\/[\.\d]+ \(KHTML, like Gecko\)$" MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "Outlook-iOS" MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "UCBrowser\/(8|9|10|11)\.(\d+)\.(\d+)[\.\d]* " MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "UCBrowser\/12\.13\.[0-1][\.\d]* " MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "UCBrowser\/12\.1[0-2]\.(\d+)[\.\d]* " MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "UCBrowser\/12\.\d\.(\d+)[\.\d]* " MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "Chrom[^ \/]+\/6[0-6][\.\d]* " MELLON_DISABLE_SAMESITE=1
        # BrowserMatch "Chrom[^ \/]+\/5[1-9][\.\d]* " MELLON_DISABLE_SAMESITE=1


        # MellonUser selects which attribute we should use for the username.
        # The username is passed on to other apache modules and to the web
        # page the user visits. NAME_ID is an attribute which we set to
        # the id we get from the IdP.
        # Note: If MellonUser refers to a multi-valued attribute, any single
        # value from that attribute may be used. Do not rely on it selecting a
        # specific value.
        # Default: MellonUser "NAME_ID"
        #MellonUser "NAME_ID"
        MellonUser "subject-id"

        # MellonIdP selects in which attribute we should dump the remote 
        # IdP entityId. This is passed to other apache modules and to 
        # the web pages the user visits.
        # Default: none
        # MellonIdP "IDP"

        # MellonSetEnv configuration directives allows you to map
        # attribute names received from the IdP to names you choose
        # yourself. The syntax is 'MellonSetEnv <local name> <IdP name>'.
        # You can list multiple MellonSetEnv directives.
        # Default. None set.
        MellonSetEnv "e-mail" "mail"

        # MellonSetEnvNoPrefix is identical to MellonSetEnv, except this
        # does not prepend 'MELLON_' to the constructed environment variable.
        # The syntax is 'MellonSetEnvNoPrefix <local name> <IdP name>'.
        # You can list multiple MellonSetEnvNoPrefix directives.
        # Default. None set.
        MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"

        # MellonEnvPrefix changes the string the variables passed from the
        # IdP are prefixed with.
        # Default: MELLON_
        MellonEnvPrefix "NOLLEM_"

        # MellonMergeEnvVars merges multiple values of environment variables
        # set using MellonSetEnv into single variable:
        # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:
        #     MYENV_VAR_0 => val1, MYENV_VAR_1 => val2 ... etc.
        # Second optional parameter specifies the separator, to override the
        # default semicolon.
        # Default: MellonMergeEnvVars Off
        MellonMergeEnvVars On
        MellonMergeEnvVars On ":"

        # MellonEnvVarsIndexStart specifies if environment variables for
        # multi-valued attributes should start indexing from 0 or 1
        # The syntax is 'MellonEnvVarsIndexStart <0|1>'.
        # Default: MellonEnvVarsIndexStart 0
        MellonEnvVarsIndexStart 1

        # MellonEnvVarsSetCount specifies if number of values for any given
        # attribute should also be stored in variable suffixed _N.
        # ie: if user is member of two groups, the following will be set:
        #     MELLON__groups=group1
        #     MELLON__groups_0=group1
        #     MELLON__groups_1=group2
        #     MELLON__groups_N=2
        # Default: MellonEnvVarsSetCount Off
        MellonEnvVarsSetCount On

        # If MellonSessionDump is set, then the SAML session will be
        # available in the MELLON_SESSION environment variable
        MellonSessionDump Off
 
        # If MellonSamlResponseDump is set, then the SAML authentication
        # response will be available in the MELLON_SAML_RESPONSE environment 
        # variable
        MellonSamlResponseDump Off
 
        # MellonRequire allows you to limit access to those with specific
        # attributes. The syntax is
        # 'MellonRequire <attribute name> <list of valid values>'.
        # Note that the attribute name is the name we received from the
        # IdP.
        #
        # If you don't list any MellonRequire directives (and any 
        # MellonCond directives, see below), then any user authenticated 
        # by the IdP will have access to this service. If you list several 
        # MellonRequire directives, then all of them will have to match.
        # If you use multiple MellonRequire directive on the same 
        # attribute, the last overrides the previous ones.
        #
        # Default: None set.
        MellonRequire "eduPersonAffiliation" "student" "employee"

        # MellonCond provides the same function as MellonRequire, with
        # extra functionality (MellonRequire is retained for backward
        # compatibility). The syntax is
        # 'MellonCond <attribute name> <value> [<options>]'
        #
        # <value> is an attribute value to match. Unlike with MellonRequire, 
        # multiples values are not allowed.
        #
        # If the [REG] flag is specified (see below), <value> is a regular 
        # expression. The syntax for backslash escape is the same as in
        # Apache's <LocationMatch>'s directives. 
        #
        # Format strings are substituted into <value> prior evaluation. 
        # Here are the supported syntaxes:
        #    %n       With n being a digit between 0 and 9. If [REG,REF] 
        #             flags (see below) were used in an earlier matching 
        #             MellonCond, then regular expression back references
        #             are substituted.
        #    %{num}   Same as %n, with num being a number that may be 
        #             greater than 9.
        #    %{ENV:x} Substitute Apache environment variable x.
        #    %%       Escape substitution to get a literal %.
        #
        # <options> is an optional, comma-separated list of option
        # enclosed with brackets. Here is an example: [NOT,NC]
        # The valid options are:
        #    OR  If this MellonCond evaluated to false, then the
        #        next one will be checked. If it evaluates to true,
        #        then the overall check succeeds.
        #    NOT This MellonCond evaluates to true if the attribute 
        #        does not match the value.
        #    SUB Substring match, evaluates to true if value is
        #        included in attribute.
        #    REG Value to check is a regular expression.
        #    NC  Perform case insensitive match. 
        #    MAP Attempt to search an attribute with name remapped by
        #        MellonSetEnv. Fallback to non remapped name if not
        #        found.
        #    REF Used with REG, track regular expression back references,
        #        So that they can be substituted in an upcoming 
        #        MellonCond directive.
        #        
        # It is allowed to have multiple MellonCond on the same 
        # attribute, and to mix MellonCond and MellonRequire. 
        # Note that this can create tricky situations, since the OR
        # option has effect on a following MellonRequire directive.
        # 
        # Default: none set
        # MellonCond "mail" "@example\.net$" [OR,REG]
        # MellonCond "mail" "@example\.com$" [OR,REG]
        # MellonCond "uid" "superuser"

        # MellonEndpointPath selects which directory mod_auth_mellon
        # should assume contains the SAML 2.0 endpoints. Any request to
        # this directory will be handled by mod_auth_mellon.
        #
        # The path is the full path (from the root of the web server) to
        # the directory. The directory must be a sub-directory of this
        # <Location ...>.
        # Default: MellonEndpointPath "/mellon"
        MellonEndpointPath "/secret/endpoint"

        # MellonDefaultLoginPath is the location where one should be
        # redirected after an IdP-initiated login. Default is "/"
        # Default: MellonDefaultLoginPath "/"
        MellonDefaultLoginPath "/"

        # MellonSessionLength sets the maximum lifetime of a session, in
        # seconds. The actual lifetime may be shorter, depending on the
        # conditions received from the IdP. The default length is 86400
        # seconds, which is one day.
        # Default: MellonSessionLength 86400
        MellonSessionLength 86400

        # MellonNoCookieErrorPage is the full path to a page which
        # mod_auth_mellon will redirect the user to if he returns from the
        # IdP without a cookie with a session id.
        # Note that the user may also get this error if he for some reason
        # loses the cookie between being redirected to the IdP's login page
        # and returning from it.
        # If this option is unset, then mod_auth_mellon will return a
        # 400 Bad Request error if the cookie is missing.
        # Default: unset
        MellonNoCookieErrorPage "https://example.com/no_cookie.html"

        # MellonSPMetadataFile is the full path to the file containing
        # the metadata for this service provider.
        # If mod_auth_mellon was compiled against Lasso version 2.2.2
        # or higher, this option is optional. Otherwise, it is mandatory.
        # Default: None set.
        MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml

        # If you choose to autogenerate metadata, this option
        # can be used to control the SP entityId
        # MellonSPentityId "https://www.example.net/foo"
        #
        # If you choose to autogenerate metadata, these options 
        # can be used to fill the <Organization> element. They
        # all follow the syntax "option [lang] value":
        # MellonOrganizationName "random-service"
        # MellonOrganizationDisplayName "en" "Random service"
        # MellonOrganizationDisplayName "fr" "Service quelconque"
        # MellonOrganizationURL "http://www.espci.fr"

        # MellonSPPrivateKeyFile is a .pem file which contains the private
        # key of the service provider. The .pem-file cannot be encrypted
        # with a password. If built with lasso-2.2.2 or higher, the
        # private key only needs to be readable by root, otherwise it has
        # to be readable by the Apache pseudo user.
        # Default: None set.
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp-private-key.pem

        # MellonSPCertFile is a .pem file with the certificate for the
        # service provider. This directive is optional.
        # Default: None set.
        MellonSPCertFile /etc/apache2/mellon/sp-cert.pem

        # MellonIdPMetadataFile is the full path to the file which contains
        # metadata for the IdP you are authenticating against. This
        # directive is required. Multiple IdP metadata can be configured
        # by using multiple MellonIdPMetadataFile directives.
        #
        # If your lasso library is recent enough (higher than 2.3.5),
        # then MellonIdPMetadataFile will accept an XML file containing
        # descriptors for multiple IdP. An optional validating chain can
        # be supplied as a second argument to MellonIdPMetadataFile. If
        # omitted, no metadata validation will take place.
        #
        # Default: None set.
        MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml

        # MellonIdPMetadataGlob is a glob(3) pattern enabled  alternative 
        # to MellonIdPMetadataFile. Like MellonIdPMetadataFile it will
        # accept an optional validating chain if lasso is recent enough.
        #
        # Default: None set.
        #MellonIdPMetadataGlob /etc/apache2/mellon/*-metadata.xml

        # MellonIdpPublicKeyFile is the full path of the public key of the
        # IdP. This parameter is optional if the public key is embedded
        # in the IdP's metadata file, or if a certificate authority is
        # used. This parameter cannot be used if multiple IdP are configured.
        # Default: None set.
        MellonIdPPublicKeyFile /etc/apache2/mellon/idp-public-key.pem

        # MellonIdPCAFile is the full path to the certificate of the
        # certificate authority. This can be used instead of an
        # certificate for the IdP.
        # Default: None set.
        MellonIdPCAFile /etc/apache2/mellon/ca.pem

        # MellonIdPIgnore lists IdP entityId that should not loaded
        # from XML federation metadata files. This is useful if an
        # IdP cause bugs. Multiple entityId may be specified through
        # single MellonIdPIgnore, and multiple MellonIdPIgnore are allowed.
        # Default: None set.
        #MellonIdPIgnore "https://bug.example.net/saml/idp"

        # MellonDiscoveryURL is the URL for IdP discovery service. 
        # This is used for selecting among multiple configured IdP.
        # On initial user authentication, it is redirected to the
        # IdP discovery URL, with the following arguments set:
        #
        #   entityID         SP entityId URL, where our metadata 
        #                    are published.
        #   returnIDParam    Argument that IdP discovery must send back.
        #   return           Return URL the IdP discovery should return to.
        #
        # The IdP discovery must redirect the user to the return URL, 
        # with returnIDParam set to the selected IdP entityId.
        # 
        # The builtin:get-metadata discovery URL is not supported anymore
        # starting with 0.3.1. See MellonProbeDiscoveryTimeout for
        # a replacement.
        #
        # Default: None set.
        MellonDiscoveryURL "http://www.example.net/idp-discovery"

        # MellonProbeDiscoveryTimeout sets the timeout of the
        # IdP probe discovery service, which is available on the
        # probeDisco endoint.
        #
        # This will cause the SP to send HTTP GET requests on the 
        # configured IdP PorviderID URL. Theses URL should be used to
        # publish metadata, though this is not mandatory. If the IdP
        # returns an HTTP status 200, then the IdP is selected. 
        # If the PorviderID URL requires SSL, MellonIdPCAFile is used
        # as a trusted CA bundle.
        #
        # Default: unset, which means the feature is disabled
        # MellonProbeDiscoveryTimeout 1

        # MellonProbeDiscoveryIdP can be used to restrict the 
        # list of IdP queried by the IdP probe discovery service.
        # If probe discovery fails and this is provided, an
        # HTTP error 500 is returned, instead of proceeding
        # with first available IdP.
        #
        # Default unset, which means that all configured IdP are 
        # queried.
        # MellonProbeDiscoveryIdP http://idp1.example.com/saml/metadata
        # MellonProbeDiscoveryIdP http://idp2.example.net/saml/metadata

        # This option will make the SAML authentication assertion 
        # available in the MELLON_SAML_RESPONSE environment
        # variable. This assertion holds a verifiable signature
        # that can be checked again. Default is Off.
        MellonSamlResponseDump Off

        # This option will make the Lasso session available in 
        # the MELLON_SESSION environment variable. Default is Off.
        MellonSessionDump Off

        # This option will request specific authentication security-level
        # through the AuthnContextClassRef element of the AuthnRequest It will
        # also request enforcement of this level when receiving an
        # authenticating Assertion.
        # If the assertion does not have the required security level, an HTTP
        # Forbidden status code is returned to the browser.
        # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
        # MellonAuthnContextClassRef >urn:geant:eduteams.org:service:eduteams-acc:group:eduTEAMS:gitlab:audit#acc.eduteams.org</ns1:AttributeValue>
    </ns1:Attribute>

mkdir /etc/apache/mellon

wget "https://proxy.acc.eduteams.org/metadata/frontend.xml" -O /etc/apache2/mellon/eduTEAMS-metadata.xml

Usage: mellon_create_metadata.sh ENTITY-ID ENDPOINT-URL

Example:

(cd /etc/apache2/mellon or the location you choose to use) 

./mellon_create_metadata.sh urn:someservice https://sp.example.org/mellon

./mellon_create_metadata.sh https://[your_sp]/mellon/metadata https://[your_sp]/mellon

This will give you three files:

https_[your_sp]_mellon_metadata.cert

https_[your_sp]_mellon_metadata.key

https_[your_sp]_mellon_metadata.xml

Note - these three files are those we refer to in the file auth_mellon.conf (earlier in this document).

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://[your_sp]/mellon/metadata">
  <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <!-- Required for R&S SPs -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
        <!-- Required for Production SPs -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
      </saml:Attribute>


      <!-- Required for SPs supporting Sirtfi -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:

attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:

attrname-format:uri">
        

<saml:AttributeValue xsi:type="xs:string">https://refeds.org/sirtfi</saml:AttributeValue>
      

</saml:Attribute>


      

<!-- Required to signal the requirement for the release of subject-id -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>any</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>


  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">

        <!-- Required: Change it for your SP -->
        <mdui:DisplayName xml:lang="en">[your_sp_description]</mdui:DisplayName>

        <!-- Required: Change it for your SP -->
        <mdui:Description xml:lang="en">[your_sp_description_full_sentence]</mdui:Description>
        

<!-- Required for Production: Change it for your SP -->

        

<mdui:PrivacyStatementURL xml:lang="en">[your_privacy_policy_url]</mdui:PrivacyStatementURL>

        

<!-- Required: Change it for your SP -->
        

<mdui:Logo width="200" height="200">[your_sp_img_url_200x200]</mdui:Logo>
        <mdui:Logo width="16" height="16">[your_sp_img_url_16x16]</mdui:Logo>

        

<!-- Optional: Change it for your SP -->
        

<mdui:InformationURL xml:lang="en">https://[your_sp]</mdui:InformationURL>
      </mdui:UIInfo>
    </md:Extensions>


    

<!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  

<ds:X509Data>
 

<ds:X509Certificate>
{ contents of https_[your_sp]_mellon_metadata.cert }
    

 </ds:X509Certificate>
        

</ds:X509Data>
      </ds:KeyInfo>
  

 </md:KeyDescriptor>
    <!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="encryption">
   

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        

<ds:X509Data>
        

<ds:X509Certificate>
{ contents 

of https_[your_sp]_mellon_metadata.cert }
        

 </ds:X509Certificate>
        </ds:X509Data>
      

</ds:KeyInfo>
    </md:KeyDescriptor>


    <!-- Optional: Change it 

for 

your 

SP -->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://[your_sp]/mellon/logout"/>


    <!-- Required -->
    <!-- 
      In the list below all the attributes are requested. If your SP 
       needs 

fewer 

attributes, 

the 

list 

has 

to 

be 

modified 

accordingly
 

   -->
    

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[your_sp]/mellon/postResponse" index="0"/>

    

<md:AttributeConsumingService index="0">
      

<md:ServiceName xml:lang="en">[your_sp_description]</md:ServiceName>
      

<md:RequestedAttribute Name="urn:oasis:names:tc:SAML:attribute:subject-id" FriendlyName="subject-id"/>
      <md:RequestedAttribute 

Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" FriendlyName="eduPersonUniqueId"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.6" FriendlyName="voPersonID"/>
      <md:RequestedAttribute 

Name="urn:oid:2.5.4.42" FriendlyName="givenName"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn"/>
      

<md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName"/>
     

<md:

RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail"/>
      

<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.11" FriendlyName="voPersonExternalAffiliation"/>
      <md:RequestedAttribute 

Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" FriendlyName="eduPersonScopedAffiliation"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement"/>
      <md:RequestedAttribute 

Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" FriendlyName="eduPersonAssurance"/>
    

<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" FriendlyName="eduPersonOrcid"/>
      

<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/>
      

<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13" FriendlyName="sshPublicKey"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>



  <!-- Required: Change it for your SP -->
  <md:Organization>
    

<md:OrganizationName xml:lang="en">[your_organisation]</md:OrganizationName>
    

<md:OrganizationDisplayName xml:lang="en">[your_organisation]</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">[your_organisation_homepage]</md:OrganizationURL>
  

</md:Organization>


  <!-- Required: Change it for your SP -->
  <md:ContactPerson contactType="administrative">
    <md:EmailAddress>mailto:admin@[your_sp]</md:EmailAddress>
  </md:ContactPerson>


  <!-- Required: Change it for your SP -->
  <md:ContactPerson contactType="technical">
    <md:EmailAddress>mailto:support@[your_sp]</md:EmailAddress>
  </md:ContactPerson>


  <!-- Required for SPs supporting Sirtfi: Change it for your SP -->
  <md:ContactPerson xmlns:remd="http://refeds.org/metadata" 
       

   contactType="other" 
    

remd:contactType="http://refeds.org/metadata/contactType/security">
    <md:GivenName>[your_sirtifi_contact_name]</md:GivenName>
    

<md:EmailAddress>mailto:security@[your_sp]</md:EmailAddress>
  </md:ContactPerson>

</

md:EntityDescriptor>

All of the configuration to enable mod_mellon, and specify areas of your site to protect are covered above.

systemctl restart apache2