This guide describes how mod_auth_mellon can be configured as a SAML Service Provider for eduTEAMS.

mod_auth_mellon is an authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP. It used to be maintained by Uninett, but is now in the community. The code and documentation can be found at

This guide assumes you're using a Debian-based Linux distribution, and you have installed and enabled the mod-auth-mellon module.

1. mod_auth_mellon

We suggest populating the global configuration options with the following. Edit your auth_mellon.conf file to read as follows:

# Global configuration for mod_auth_mellon. This configuration is shared by
# every virtual server and location in this instance of apache.

# MellonCacheSize sets the maximum number of sessions which can be active
# at once. When mod_auth_mellon reaches this limit, it will begin removing
# the least recently used sessions. The server must be restarted before any
# changes to this option takes effect.
# Default: MellonCacheSize 100
MellonCacheSize 100

# MellonCacheEntrySize sets the maximum size for a single session entry in
# bytes. When mod_auth_mellon reaches this limit, it cannot store any more
# data in the session and will return an error. The minimum entry size is
# 65536 bytes, values lower than that will be ignored and the minimum will
# be used.
# Default: MellonCacheEntrySize 196608

# MellonLockFile is the full path to a file used for synchronizing access
# to the session data. The path should only be used by one instance of
# apache at a time. The server must be restarted before any changes to this
# option takes effect.
# Default: MellonLockFile "/var/run/mod_auth_mellon.lock"
MellonLockFile "/var/run/mod_auth_mellon.lock"

# MellonPostDirectory is the full path of a directory where POST requests
# are saved during authentication. This directory must writable by the
# Apache user. It should not be writable (or readable) by other users.
# Default: None
# Example: MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"

# MellonPostTTL is the delay in seconds before a saved POST request can
# be flushed.
# Default: MellonPostTTL 900 (15 mn)
MellonPostTTL 900

# MellonPostSize is the maximum size for saved POST requests
# Default: MellonPostSize 1048576 (1 MB)
MellonPostSize 1048576

# MellonPostCount is the maximum amount of saved POST requests
# Default: MellonPostCount 100
MellonPostCount 100

# MellonDiagnosticsFile If Mellon was built with diagnostic capability
# then diagnostic is written here, it may be either a filename or a pipe.
# If it's a filename then the resulting path is  relative to the ServerRoot.
# If the value is preceeded by the pipe character "|" it should be followed
# by a path to a program to receive the log information on its standard input.
# This is a server context directive, hence it may be specified in the
# main server config area or within a <VirtualHost> directive.
# Default: logs/mellon_diagnostics
MellonDiagnosticsFile logs/mellon_diagnostics

# MellonDiagnosticsEnable If Mellon was built with diagnostic capability
# then this is a list of words controlling diagnostic output.
# Currently only On and Off are supported.
# This is a server context directive, hence it may be specified in the
# main server config area or within a <VirtualHost> directive.
# Default: Off
MellonDiagnosticsEnable Off

# End of global configuration for mod_auth_mellon.

<Location />
   MellonEnable info
   MellonEndpointPath /mellon/
   MellonSPMetadataFile /etc/apache2/mellon/[your_sp]_mellon_metadata.xml
   MellonSPPrivateKeyFile /etc/apache2/mellon/https_[your_sp]_mellon_metadata.key
   MellonSPCertFile /etc/apache2/mellon/https_[your_sp]_mellon_metadata.cert
   MellonIdPMetadataFile /etc/apache2/mellon/eduTEAMS-metadata.xml
   MellonOrganizationURL "en" "mellon test for"
   MellonUser "urn:oasis:names:tc:SAML:attribute:subject-id"

MellonUser "urn:oid:"


<Location /private>
AuthType Mellon
MellonEnable auth
Require valid-user

Note you can also use MellonRequire to allow for access based on attributes sent for the user

1a Authorisation within Apache

You can use the directive MellonRequire within your apache <Location> directives.

MellonCond <attribute name> <value> [<options>]


MellonCond "urn:oid:" "<your eduTEAMS identifier>"

1b. Authorisation in code

mod_mellon will create a number of environment variables within your Apache instance.

See an example on the right.

If you do not want multi-valued attributes to create many 0...n numbered variables, set

 MellonMergeEnvVars  Off

 and this will give you eg

[MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7] => "value1[;valueX]"

    [MELLON_urn:oid:0_9_2342_19200300_100_1_3] =>
    [MELLON_urn:oid:0_9_2342_19200300_100_1_3_0] =>
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_11] =>
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_11_0] =>
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_6] =>
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_6_0] =>
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_13] =>
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_13_0] =>
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_6] =>
    [MELLON_urn:oid:1_3_6_1_4_1_25178_4_1_6_0] =>
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7] =>
    [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_0] =>

Note that mod_mellon will create a series of single value variables named MELLON_var_{0..n}. If MELLON_var is single valued you will see a duplicate called MELLON_var_0

If MELLON_var is multivalued, you will find all values in their own variables eg:

  [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7] =>
[MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_0] => [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_1] => [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_2] => [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_3] => [MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7_4] =>

Would be the result of the following assertion:

2. Next, download the eduTEAMS metadata

mkdir /etc/apache/mellon
wget "" -O /etc/apache2/mellon/eduTEAMS-metadata.xml

3. Now generate the metadata for your mellon SP

It is a matter of record that any shell script designed to be useful in setting up a system is not guaranteed to be present. If having installed the Apache auth-mellon package for your system you cannot find the script you can source it from the github home of the package ie

Please note that whilst the metadata generated but the script is valid, it is does not contain all elements the eduTEAMS service prefers.



(cd /etc/apache2/mellon or the location you choose to use) 

./ urn:someservice

./ https://[your_sp]/mellon/metadata https://[your_sp]/mellon

This will give you three files:


Note - these three files are those we refer to in the file auth_mellon.conf (earlier in this document).

Code Block
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="" entityID="https://[your_sp]/mellon/metadata">
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:
        <!-- Required for 
MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
SPs -->
# MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
 <saml:AttributeValue xmlns:xsi="" xmlns:xs="" xsi:type="xs:string"></saml:AttributeValue>
# This option will set the "Comparsion" attribute within the AuthnRequest
<!-- Required for Production SPs -->
# It could be set to "exact", "minimum", "maximum" or "better"
<saml:AttributeValue xmlns:xsi="" xmlns:xs="" xsi:type="xs:string"></saml:AttributeValue>

  <!-- Required 
for SPs 
MellonSubjectConfirmationDataAddressCheck is used to control
Sirtfi -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
IP address against the address returned by the
<saml:AttributeValue xsi:type="xs:string"></saml:AttributeValue>

      <!-- Required to signal 
release of 
the SubjectConfirmationData node. Can be useful if your SP is
subject-id -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
# behind a reverse proxy or any kind of strange network topology making IP address of client # different for the IdP and the SP. Default is on.

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
# MellonSubjectConfirmationDataAddressCheck On
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">

# Does not check signature on logout messages exchanges with idp1
<!-- Required: Change it for your SP -->
# MellonDoNotVerifyLogoutSignature
<mdui:DisplayName xml:lang="en">[your_sp_description]</mdui:DisplayName>

        <!-- Required: Change 
enable replay of POST requests after authentication. When this option is
SP -->
        <mdui:Description xml:lang="en">[your_sp_description_full_sentence]</mdui:Description>
# enabled, POST requests that trigger authentication will be saved until the # authentication is completed, and then replayed. If this option isn't enabled,
 <!-- Required for Production: Change it for your SP -->

        <mdui:PrivacyStatementURL xml:lang="en">[your_privacy_policy_url]</mdui:PrivacyStatementURL>

        <!-- Required: Change it for your SP -->
# the requests will be turned into normal GET requests after authentication.
<mdui:Logo width="200" height="200">[your_sp_img_url_200x200]</mdui:Logo>
        <mdui:Logo width="16" height="16">[your_sp_img_url_16x16]</mdui:Logo>

# # Note that if this option is enabled, you must also
<!-- Optional: Change it for your SP -->
        <mdui:InformationURL xml:lang="en">https://[your_sp]</mdui:InformationURL>
set the MellonPostDirectory option in the server configuration. #

    <!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="signing">
is that it is "Off".
<ds:KeyInfo xmlns:ds="">
Page to redirect to if the IdP sends an error in response to
of https_[your_sp]_mellon_metadata.cert }
# the authentication request.
    <!-- Required: Change it for your 
# Example:
SP -->
    <md:KeyDescriptor use="encryption">
MellonNoSuccessErrorPage https
<ds:KeyInfo xmlns:ds="http://
default is to not redirect, but rather send a
{ contents of https_[your_sp]_mellon_metadata.cert }
# 401 Unautorized error.
controls whether to include a list of IDP's when # sending an ECP PAOS <AuthnRequest> message to an ECP client. MellonECPSendIDPList Off # This option controls whether the Cache-control header is sent # back in responses.

    <!-- Optional: Change it for your SP -->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://[your_sp]/mellon/logout"/>

    <!-- Required -->
      In the list below all the attributes are requested. If your SP 
Default: On # MellonSendCacheControlHeader Off
attributes, the list has to be modified accordingly
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[your_sp]/mellon/postResponse" 
# List of domains that we allow redirects to.

    <md:AttributeConsumingService index="0">
      <md:ServiceName xml:lang="en">[your_sp_description]</md:ServiceName>
The special name "[self]" means the domain of the current request. # The domain names can also use wildcards.
<md:RequestedAttribute Name="urn:oasis:names:tc:SAML:attribute:subject-id" FriendlyName="subject-id"/>
      <md:RequestedAttribute Name="urn:oid:" FriendlyName="eduPersonUniqueId"/>
      <md:RequestedAttribute Name="urn:oid:" FriendlyName="voPersonID"/>
Name="urn:oid:" FriendlyName="givenName"/>
# Example:
Name="urn:oid:" FriendlyName="sn"/>
# * Allow redirects to and all subdomains:
<md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName"/>
# MellonRedirectDomains *
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail"/>
# * Allow redirects to the host running mod_auth_mellon, as well as the
Name="urn:oid:" FriendlyName="voPersonExternalAffiliation"/>
      <md:RequestedAttribute Name="urn:oid:" FriendlyName="eduPersonScopedAffiliation"/>
Name="urn:oid:" FriendlyName="eduPersonEntitlement"/>
<md:RequestedAttribute Name="urn:oid:" FriendlyName="eduPersonAssurance"/>
# MellonRedirectDomains [self]
<md:RequestedAttribute Name="urn:oid:" FriendlyName="eduPersonOrcid"/>
# * Allow redirects to all domains:
<md:RequestedAttribute Name="urn:oid:" FriendlyName="eduPersonPrincipalName"/>
# MellonRedirectDomains *
Name="urn:oid:" FriendlyName="sshPublicKey"/>
# Default: # MellonRedirectDomains [self] MellonRedirectDomains [self]

  <!-- Required: Change it for your SP -->
    <md:OrganizationName xml:lang="en">[your_organisation]</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">[your_organisation]</md:OrganizationDisplayName>
This option controls the signature method used to sign SAML # messages generated by Mellon, it may be one of the following # (depending if feature was supported when Mellon was built): # # rsa-sha1 # rsa-sha256
<md:OrganizationURL xml:lang="en">[your_organisation_homepage]</md:OrganizationURL>

  <!-- Required: Change it for your SP -->
  <md:ContactPerson contactType="administrative">

  <!-- Required: Change it for your SP -->
  <md:ContactPerson contactType="technical">

  <!-- Required for SPs supporting Sirtfi: Change it for your SP -->
  <md:ContactPerson xmlns:remd="" 
# MellonSignatureMethod

3. Restarting the apache2 service

systemctl restart apache2

4. Conclusion

You should now have a working integration of Apache and mod_auth_mellon services on your machine.