Requirement for other authorisation modules

Question

Requirement for other authorisation modules

Closed this issue 10 years ago · 2 comments

Hello,

At the University of Southampton we'd like to use mod_auth_mellon (rather than mod_auth_shib) for general purpose SAML authentication to apache on RHEL6. We need a way to delegate authorization to the web server (rather than mod_auth_mellon) via apache core authz modules such as LDAP or GroupFile. The scenario is: (1) mod_auth_mellon does authentication with the IDP, (2) Apache can use the username returned to authorise the user such as with authnz_ldap (i.e. check the user is in a group) or GroupFile. Is this possible today, if not, can this issue be a feature request for its addition?

Answer 1 · 2015-01-12T14:27:55.000Z

Hi,

I have never tried any of those modules, but I think it should work. mod_auth_mellon will set the user id in the request, so other modules should be able to look at that and use that user id for authorization decisions.

I suggest that you try it, and if it fails, reopen this issue with a simple example of something that should work (preferably not dependent on any LDAP-server, if possible).

Answer 2 · 2015-01-12T15:42:53.000Z

This just works, I know from experience.