I am moving a dev ood instance from dex w/ LDAP to Azure SAML before moving production. dex w/ LDAP was working fine. I followed all directions at SAML Authentication with Active Directory Federated Services (ADFS) and mod_auth_mellon — Open OnDemand 4.1.0 documentation as far as I can tell. Getting a 400 Bad Request Your browser sent a request that this server could not understand. error. The auth to Azure looks fine, the Bad Request seems when it comes back to https://host/mellon/postResponse. I have been through all the other posts and have not gotten anywhere. I turned the LogLevel up on auth_mellon and get the following:
[Mon May 11 20:40:13.069459 2026] [auth_mellon:debug] [pid 1827364:tid 134249241884224] auth_mellon_util.c(2650): [client 10.247.156.33:51756] have_paos_media_type=False valid_paos_header=False is_paos=False error_code=0 ecp options=[]
[Mon May 11 20:40:13.069504 2026] [auth_mellon:debug] [pid 1827364:tid 134249241884224] auth_mellon_util.c(52): [client 10.247.156.33:51756] reconstruct_url: url=="https://HOST/pun/sys/dashboard", unparsed_uri=="/pun/sys/dashboard"
[Mon May 11 20:40:13.076087 2026] [auth_mellon:debug] [pid 1827364:tid 134249241884224] auth_mellon_handler.c(276): [client 10.247.156.33:51756] loaded IdP "https://sts.windows.net/abc123ab-e2e5-46df-8d67-82607df9deaa/" from "/etc/apache2/mellon/idpmetadata.xml".
[Mon May 11 20:40:13.076123 2026] [auth_mellon:debug] [pid 1827364:tid 134249241884224] auth_mellon_handler.c(3760): [client 10.247.156.33:51756] Redirecting to login URL: https://HOST/mellon/login?ReturnTo=https%3A%2F%2Frc%2Dtjf.rc.usf.edu%2Fpun%2Fsys%2Fdashboard&IdP=https%3A%2F%2Fsts.windows.net%2Fabc123ab%2De2e5%2D46df%2D8d67%2D82607df9deaa%2F
[Mon May 11 20:40:13.124811 2026] [auth_mellon:debug] [pid 1827364:tid 134249233491520] auth_mellon_util.c(52): [client 10.247.156.33:51756] reconstruct_url: url=="https://HOST/mellon/login?ReturnTo=https%3A%2F%2Frc%2Dtjf.rc.usf.edu%2Fpun%2Fsys%2Fdashboard&IdP=https%3A%2F%2Fsts.windows.net%2Fabc123ab%2De2e5%2D46df%2D8d67%2D82607df9deaa%2F", unparsed_uri=="/mellon/login?ReturnTo=https%3A%2F%2Frc%2Dtjf.rc.usf.edu%2Fpun%2Fsys%2Fdashboard&IdP=https%3A%2F%2Fsts.windows.net%2Fabc123ab%2De2e5%2D46df%2D8d67%2D82607df9deaa%2F"
[Mon May 11 20:40:13.132264 2026] [auth_mellon:debug] [pid 1827364:tid 134249233491520] auth_mellon_handler.c(276): [client 10.247.156.33:51756] loaded IdP "https://sts.windows.net/abc123ab-e2e5-46df-8d67-82607df9deaa/" from "/etc/apache2/mellon/idpmetadata.xml".
[Mon May 11 20:40:13.481482 2026] [auth_mellon:debug] [pid 1827364:tid 134249225098816] auth_mellon_handler.c(276): [client 10.247.156.33:51756] loaded IdP "https://sts.windows.net/abc123ab-e2e5-46df-8d67-82607df9deaa/" from "/etc/apache2/mellon/idpmetadata.xml"., referer: https://login.microsoftonline.com/
[Mon May 11 20:40:13.485585 2026] [auth_mellon:debug] [pid 1827364:tid 134249225098816] auth_mellon_util.c(52): [client 10.247.156.33:51756] reconstruct_url: url=="https://HOST/mellon/postResponse", unparsed_uri=="/mellon/postResponse", referer: https://login.microsoftonline.com/
[Mon May 11 20:40:13.485936 2026] [auth_mellon:warn] [pid 1827364:tid 134249225098816] [client 10.247.156.33:51756] User has disabled cookies, or has lost the cookie before returning from the SAML2 login server., referer: https://login.microsoftonline.com/
Any help that anyone can provide to help me with this would be greatly appreciated!