[openstack-dev] [Keystone] - Cloud federation on top of the Apache

Marek Denis marek.denis at cern.ch
Thu Jan 30 08:17:59 UTC 2014

On 29.01.2014 17:06, Adam Young wrote:

> We had a team member looking into SAML, but I don't don't know if he
> made that distinction.

Do you think he would be willing to give a helping hand and share his 
expertise? Any possibility to contact your colleague? Without ECP/http 
clients extensions i think the federation is only 50% useful (because 
eventually somehow you need to login and obtain the saml assertion 
manually, with your browser).

> Is there anything that would prevent us from having a solution that
> supported both, based on the requirements of the implementer?

mod_shib passes saml assertion parameters into discrete environment 
variables. I am now looking at the mod_mellon README file and it looks 
like mellon's behaviour is pretty much the same. So, if there any 
implementation details, they are minor ones and we basically start at 
the same page.

 From https://modmellon.googlecode.com/svn/trunk/mod_mellon2/README :

  Using mod_auth_mellon

After you have set up mod_auth_mellon, you should be able to visit (in our
example) https://example.com/secret/, and be redirected to the IdP's login
page. After logging in you should be returned to
https://example.com/secret/, and get the contents of that page.

When authenticating a user, mod_auth_mellon will set some environment
variables to the attributes it received from the IdP. The name of the
variables will be MELLON_<attribute name>. If you have specified a
different name with the MellonSetEnv or MellonSetEnvNoPrefix configuration
directive, then that name will be used instead. In the case of MellonSetEnv,
the name will still be prefixed by 'MELLON_'.

The value of the attribute will be base64 decoded.

mod_auth_mellon supports multivalued attributes with the following format:
<base64 encoded value>_<base64 encoded value>_<base 64 encoded value>...

If an attribute has multiple values, then they will be stored as
MELLON_<name>_0, MELLON_<name>_1, MELLON_<name>_2, ...

Since mod_auth_mellon doesn't know which attributes may have multiple
values, it will store every attribute at least twice. Once named
MELLON_<name>, and once named <MELLON_<name>_0.

In the case of multivalued attributes MELLON_<name> will contain the first

The following code is a simple php-script which prints out all the

header('Content-Type: text/plain');

foreach($_SERVER as $key=>$value) {
   if(substr($key, 0, 7) == 'MELLON_') {
     echo($key . '=' . $value . "\r\n");

Marek Denis
[marek.denis at cern.ch]

More information about the OpenStack-dev mailing list