olavmrk
commented
6 years ago I'm sorry, but I'm not familiar enough with Apache configuration to tell whether it is possible or not. It may be possible, but my impression is that Apache wants one authentication method at a time.
As a workaround it may be possible to push the basic authentication into the application. Basically run mod_auth_mellon in "info"-mode, where it allow through unauthenticated requests, and then have the application look at the request to determine the authentication method. I.e.:
- REMOTE_USER set => user authenticated through mod_auth_mellon
- Authorization-header set => parse that header, validate username & password
- Otherwise: Trigger mod_auth_mellon authentication by redirecting to the login endpoint (/mellon/login)
nneul
This may be more of an apache question, but seems like it would be something useful to have as an example in docs for this module.
I'd like to be able to have a path on the server that is protected by both mod_auth_mellon for SAML AND standard apache basic auth (using either ldap or krb5 auth modules). The key is though - I only want the basic auth to function if the basic auth creds are already passed in the request - I don't want it sending back an authorization response triggering the browser to throw up the basic auth dialog. If the authentication fails or is missing, redirecting to the saml idp is appropriate.
Reason for this in case it clarifies, most of my existing environment is using basic auth right now. I'd like to move a subset of the user driven activities over to SAML auth, but we have a lot of legacy code (that is not all visible to me) that does REST requests (or even simple scraping/spidering/etc.) that is coded to hard send auth details via basic auth. I'd rather not set up a new URL for the apps themselves for end users, and it's infeasible to change all the legacy references.
Is this possible, and if so, could you add an example of it?