Troubleshooting mod_auth_mellon / ADFS config

Get Help
1

We are running Open OnDemand 3.1.7 on an AlmaLinux 9.4 OpenHPC cluster. Currently, we use basic auth via PAM, which ultimately uses Kerberos/LDAP to authenticate users. We would like to use our University’s ADFS system, as it is more secure and simplifies login for our users.
I have followed the tutorial in the documentation, but I am still not able to get it working.

When I connect to my OOD interface, I am sent to ADFS to authenticate as expected. Once that is complete, I am referred back to https://ood/mellon/postResponse, which displays a 401 Unauthorized error.
In the Apache error logs, the error message is cryptic, with no sub-status code or description. I have enabled the MellonDiagnostics and the debug file has the same error. It shows no indication that it received any Name ID/etc. from ADFS.
The documentation is a bit lacking in terms of how the ADFS claims should be configured, as it just refers generally to the mod_auth_mellon documentation. I am wondering if someone who has this working can post a more detailed list of claims being used for the ADFS side?

Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Responder", StatusCode2="(null)", StatusMessage="(null)", referer:
2

Hi and welcome!

Unfortunately, those documents are community contributed and OSC doesn’t know much about auth_mellon and ADFS.

Perhaps your University IT department can help - I mean the folks who run the ADFS server may know more.

Again, I’m sorry I don’t have more for you - we just don’t use ADFS so don’t know much about it.

That said - I did find the RHEL bug with the same Lasso error code [-432] and it appears to indicate some issue with the algorithm chosen in MellonSignatureMethod.

https://bugzilla.redhat.com/show_bug.cgi?id=1295472

3

Thanks for the response. I had already found the MellonSignatureMethod issues, but that did not resolve the issue. The documentation just does not contain enough information to set up the ADFS claims properly. Eventually, I was able to find documentation for another application that uses mod_auth_mellon, and our ADFS team set up claims according to their documentation. That allowed me to get the user’s UPN back from ADFS and then use user_map_match to strip off the trailing @domain.edu.
For anyone else having similar issues, the claim rules I used are documented here: https://kb.i-doit.com/en/user-authentication-and-management/sso-comparison/saml/adfs-saml.html