Page tree
Skip to end of metadata
Go to start of metadata

Please start here if you want to connect your service to the SURFconext platform

This is a description how to set up an SP in SURFconext using Apache and the module mod_mellon. It might be a good choice for SPs with very simple requirements. When in doubt, using SimpleSAMLphp or Shibboleth is probably a good choice. This manual is still quite basic.

For more background and options for mod mellon, see:

SURFconext Metadata

Take note that the metadata and the metadata locations used for the test and production environments of SURFconext differ. This example uses TEST urls. Please change to production where appropriate.

Install things

apt install apache2 libapache2-mod-auth-mellon
a2enmod auth_mellon
service apache2 restart

Configure Apache to work for your application. Set up HTTPS with a working certificate and a high score on and/or

Configure SURFconext IdP metadata

Generate a SAML keypair to use for mellon and download SURFconext IdP metadata.

mkdir /etc/apache2/mellon/
cd !^

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.pem -keyout saml.key

curl -O
curl -O

Configure virtual host

Add the following to your virtual host (assuming it lives on https://your.example.domain).

<Location />
    MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
    MellonIdPPublicKeyFile /etc/apache2/mellon/
    MellonSPCertFile /etc/apache2/mellon/saml.pem
    MellonSPPrivateKeyFile /etc/apache2/mellon/saml.key
    MellonSecureCookie On
    MellonSPentityId "https://your.example.domain"
    MellonOrganizationName "Your Organization Name"
    MellonCookieSameSite None

<Location /secret>
    AuthType "Mellon"
    Require valid-user
    MellonEnable "auth"

Reload Apache.

The configuration above requires login for URL path /secret.

Browse to the path /secret on your vhost. This should now redirect to SURFconext (error message about unknown SP).

The following URL should now give output: https://your.example.domain/mellon/metadata.

Supply this URL to SURFconext (via SP dashboard or to SURFconext support). It will be configured on their end.

Authenticate and authorize users

Authentication might now just work.

You receive information about the user in environment variables, named like this:


(which attribute's value ends up in REMOTE_USER is defined by the MellonUser directive)



See the Mellon documentation for more information.

It's also possible to add more Mellon* directives to the Apache config. Including directives to authorize users (e.g. only allow users with eduPersonAffiliation = employee) with MellonRequire.

That's all folks

Let us know if you have any questions at