SAML not working after update to 2.4

vetal2530 · June 11, 2025, 7:56am

CMK version:2.4.0p3
OS version:Debian 12

Error message: Proxy Error.

Hello! After update to 2.4 SAML auth with mellon seems to not work anymore.

Tried to regenerate key and cert with mellon, but no result, the same config and key/certs works fine in 2.3p33. Have such message in Apache logs
*** stack smashing detected ***: terminated
[Wed Jun 11 10:32:25.651964 2025] [core:notice] [pid 57526:tid 57526] AH00052: child pid 65455 exit signal Abort (6)
If I change auth.conf to default one, without SAML it work OK, I can login via password.

HartmutLeister · June 13, 2025, 4:25am

Good Morning @vetal2530,

thank you for the report.

Could you please share the following?

checkmk edition
your SAML config

Sunny Greetings and thank you
Hartmut

vetal2530 · June 13, 2025, 5:14am

Hello, @HartmutLeister
Thanks for reply

We have RAW edition

#Set this to the Name of your Checkmk site, e.g.
# Define SITE mysite
Define SITE monitoring

# ServerName from listen-ports.conf needs to be overwritten here
# and being set to the URL of the real server.
# auth_mellon uses this to generate the needed URLs in the metadata.
ServerName https://monitoring

# Load the module.
<IfModule !mod_auth_mellon.c>

	LoadModule auth_mellon_module /usr/lib/apache2/modules/mod_auth_mellon.so

</IfModule>

# Only enable this for debugging purposes
# MellonDiagnosticsFile /opt/omd/sites/${SITE}/tmp/mellon_diagnostics.log
# MellonDiagnosticsEnable On

<Location /${SITE}>

	# Use SAML auth only in case there is no Checkmk authentication
	# cookie provided by the user and whitelist also some other required URLs.
   <If "! %{HTTP_COOKIE} =~ /^auth_${SITE}/ && \
        ! %{REQUEST_URI} = '/${SITE}/check_mk/register_agent.py' && \
        ! %{REQUEST_URI} = '/${SITE}/check_mk/restapi.py' && \
        ! %{REQUEST_URI} = '/${SITE}/check_mk/run_cron.py' && \
	! %{REQUEST_URI} = '/${SITE}/check_mk/automation.py' && \
        ! %{REQUEST_URI} -strmatch '/${SITE}/check_mk/api/*' && \
        ! %{REQUEST_URI} = '/${SITE}/check_mk/deploy_agent.py' && \
		! %{REQUEST_URI} = '/${SITE}check_mk/ajax_graph_images.py' && \
        ! %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/ && \
		! %{REQUEST_URI} =~ m#^/${SITE}/(omd/|check_mk/((images|themes)/.*\.(png|svg)|login\.py|.*\.(css|js)))# ">

        RequestHeader unset X-Remote-User
        MellonIdPMetadataFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp-metadata.xml
        # Azure-AD-specific: Not needed because in metadata:
        #MellonIdPPublicKeyFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp-public-key.pem
        MellonSPCertFile /opt/omd/sites/${SITE}/etc/apache/mellon/mellon.cert
        MellonSPPrivateKeyFile /opt/omd/sites/${SITE}/etc/apache/mellon/mellon.key
        MellonEndpointPath "/${SITE}/mellon"
        MellonDefaultLoginPath "/${SITE}/check_mk/"

		Order allow,deny
		Allow from all

		MellonSecureCookie On
		MellonCookieSameSite None

		AuthType Mellon
		MellonEnable auth
		require valid-user

        # Azure-AD-specific:
        # Get Username
        # If your assertion offers the username for Checkmk in an attribute you can set it directly as the remote user (REMOTE_USER):
        MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
        RequestHeader set X-Remote-User "%{MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}e" env=MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        # When SAML auth fails, show the login page to the user. This should only happen, if e.g. the mellon cookie is lost/rejected or if the IDP is misconfigured.
        # A failed login at the IDP will not return you here at all.
        ErrorDocument 401 '<html> \
          <head> \
            <meta http-equiv="refresh" content="1; URL=/${SITE}/check_mk/login.py"> \
          </head> \
          <body> \
            SAML authentication failed, redirecting to login page. \
            <a href="/${SITE}/check_mk/login.py">Click here</a>. \
          </body> \
        </html>'

	</If>

	# Azure-AD-specific:
	# This header is also needed after authentication (outside of the If clause)
	RequestHeader set X-Remote-User "%{MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}e" env=MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

</Location>

This config works with 2.3p33

HartmutLeister · June 13, 2025, 6:31am

Hello @vetal2530,

thank you for the configuration.

I created an internal ticket for further investigation.
I will keep you posted.

Sunny Greetings
Hartmut

vetal2530 · July 30, 2025, 12:07pm

Hello!

Do we have any updates? I tried 2.4p8 today and have the same issue. Looked at Apache logs, found this error every time I try to access the web

*** stack smashing detected ***: terminated
[Wed Jul 30 14:55:49.813992 2025] [core:notice] [pid 1488:tid 1488] AH00052: child pid 4438 exit signal Abort (6)

Glowsome · July 31, 2025, 10:50pm

Hi there,

Can you tell me which version of mod_auth_mellon is in use ?

Glowsome

HartmutLeister · August 1, 2025, 7:04am

Good Morning @vetal2530 and @Glowsome,

already in 2.3.0 mod_auth_mellon was no longer included in the Checkmk base installation - see Werk #15694: Remove mod_auth_mellon

See Authentication with SAML on handling this on CRE

Up to Checkmk version 2.2.0, as an alternative, SAML was also supported by the Apache mod_auth_mellon module, which was supplied as part of the Checkmk software. From version 2.3.0, mod_auth_mellon is no longer included in the Checkmk software. If you want to use SAML as a Checkmk Raw user, you must therefore install mod_auth_mellon yourself. The configuration based on this is described in chapter on Checkmk Raw. However, it is no longer supported by us.

Sunny Greetings
Hartmut

Glowsome · August 1, 2025, 11:53am

There also was an article on the forum about it.
So a bit of history is there @HartmutLeister https://forum.checkmk.com/t/is-checkmk-saml-2-0-capable/23195/10

Glowsome

vetal2530 · August 1, 2025, 12:10pm

It is latest available version
libapache2-mod-auth-mellon/stable,now 0.18.1-1

vetal2530 · August 1, 2025, 12:13pm

I know about this, after 2.2 mellon mod was installed system-wide and it was working till 2.4, so I suggested something changed in new version.

Glowsome · August 1, 2025, 12:23pm

I see on https://github.com/latchset/mod_auth_mellon/releases that 19.1 is available as a release now.

Glowsome

Glowsome · August 4, 2025, 10:17pm

@vetal2530 ,

Not to discourage usage of SAML, but in the past i switched from SAML to OpenID-Connect.
Been using it after there were some issues with SAML/mod_auth_mellon, and i found OIDC easyer to implement compared to SAML.
…And it gives the same functionality on RAW.

Still using it at current on both 2.3.0p35 CRE, as well as a 2.4.0p4 testbox.

So if you have the possibility, investigate OIDC: mod_auth_openidc

The howto ( and related stuff is posted in: This forumpost )

Glowsome

tempiz · August 11, 2025, 8:01pm

@Glowsome

We also encountered the same error above with mellon after updating to 2.4 RAW. I tested auth with openidc per your suggestion and our SSO is now working in 2.4.0p9 RAW.

Thank you!