I'm trying to set up SAML auth on a subfolder of an apache 2.4 vhost using auth_mellon, following the instructions here: https://richard-purves.com/2019/05/07/apache-saml-sso-the-hard-way/
In the vhost I have the following auth_mellon config:
<Location /foo/>
MellonEnable "auth"
MellonSPPrivateKeyFile XXXXXXXXXXXXXXX.key
MellonSPCertFile XXXXXXXXXXXXXXX.cert
MellonSPMetadataFile XXXXXXXXXXXXXXX.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /secret/
</Location>
Certificate, key and metadata files are all present and generated according to the instructions in the blog post linked to above, and are readable by apache.
Now when I visit /foo on the vhost in the browser auth_mellon does step in and redirect to the mellon login endpoint url i.e. /secret/login and apends a query string to the URL consiting of the ReturnTo and IdP parameters.
My understanding from the auth_mellon docs of what should happen here is a call to /secret/login should trigger an auth_mellon "handler" that redirects the browser to the Identity Provider specified in the query string. However, this does not seem to be happening.
Any suggestions why auth_mellon would not be triggering the appropriate function for a call to one of its endpoints would be very much appreciated. Alternatively, an explanation if I have not properly understood what should be happening here would be equally appreciated.
I have already seen Auth Mellon is not redirecting to IDP. Apache is returning 404 for /mellon - in that case the poster states that the problem was a rewrite rule. I think I've ruled this out by disabling mod_rewrite and confirming that the problem still occurs.
Ubuntu 20.04.5 LTS
Apache 2.4.41
Identity provider is MS365 Enterprise App auth
Thanks in advance for your valuable time.