Feature Request: Compatibility with mod_auth_mellon

  • We are using RHEL 6.6, and its supported Shibboleth library is mod_auth_mellon. (CentOS & SLF users will have it as well)

    We have made your plugin work, but we have found that anytime the plugin is enabled/disabled, it breaks the site by inserting the “AuthType Shibboleth / require Shibboleth” code in the .htaccess file. We have had to by-pass it by creating dummy “BEGIN/END entries with an “<IfModule mod_no_more_breaking.c> on either side of your .htaccess code. …hackerish, but it keeps the farm up and running.

    We also found that despite having the Initiator/Logout URL’s configurable, you have hard-coded dependencies on mod_shibboleth in a few places which we had to manually modify.

    So, to provide compatibility to RHEL and those built from it, I ask if you would please:
    – Provide a check-box to enable/disable automatic writing to the .htaccess file
    – Provide compatibility with mod_auth_mellon
    – …and an unrelated nicety: With the Role Mapping feature, enable wildcard searches so we do not have to enter the full OU path within our AD; being able to specify only the CN would be just as good.

    Thanks!

    https://www.ads-software.com/plugins/shibboleth/

Viewing 1 replies (of 1 total)
  • Thread Starter Androclese

    (@androclese)

    For anybody wanting to use RHEL’s mod_auth_mellon with this Plugin, here is how we got it working:

    In the .htaccess file, create the following entry above the standard “WordPress” entry:

    # BEGIN mod_auth_mellon
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)target(.*)$
RewriteRule ^mellon/login /mellon/login?%1ReturnTo%2
RewriteCond %{REQUEST_URI} !^/mellon/
# END mod_auth_mellon

    Then below the “WordPress” entry, put this around the existing “Shibboleth” entry this Plugin creates to hide it from Apache httpd.

    # BEGIN DO_NOT_ERASE_ME
<IfModule mod_does_not_exist.c>
# END DO_NOT_ERASE_ME

# BEGIN Shibboleth
AuthType Shibboleth
Require Shibboleth
# END Shibboleth

# BEGIN DO_NOT_ERASE_ME
</IfModule>
# END DO_NOT_ERASE_ME

    This will hide their default entry, resolving the “white screen of death” you would normally see if using mod_auth_mellon.

    Finally, in the Shibboleth options page, you wnat to change the “Session Indicator URL” and the Logout URL to the following:

    https://YOUR_URL/mellon/login
https://YOUR_URL/mellon/logout?ReturnTo=https://YOUR_URL

    …dropping the “s” from http if necessary.

    Hope that helps somebody!

Viewing 1 replies (of 1 total)
  • The topic ‘Feature Request: Compatibility with mod_auth_mellon’ is closed to new replies.