Skip to content

auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) #45680

New issue
New issue
Closed
bug
#46284
Closed
auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6)#45680
bug
#46284
Assignees
rmartinc
Labels
area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.5.4release/26.6.0team/core-clients
@rtheys

Description

@rtheys
rtheys
opened on Jan 22, 2026

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

Hi,

Our web server uses auth_mellon to restrict access to certain resources. The following configuration is in use:

    <Location />
        MellonEnable info
        MellonEndpointPath /mellon/
        MellonSPMetadataFile /etc/httpd/mellon/urn_sso-test.esat.kuleuven.be.xml
        MellonSPPrivateKeyFile /etc/httpd/mellon/urn_sso-test.esat.kuleuven.be.key
        MellonSPCertFile /etc/httpd/mellon/urn_sso-test.esat.kuleuven.be.cert
        MellonIdPMetadataFile /etc/httpd/mellon/idp_metadata.xml
        MellonSecureCookie On
        MellonCookieSameSite none
        MellonUser uid
    </Location>
    <Location /restricted>
        AuthType Mellon
        MellonEnable auth
        require valid-user
    </Location>

The client is registered on our Keycloak server. Authentication has worked fine this way until we upgraded the system to Keycloak 26.5.1 (from 26.4.6). Since the upgrade, the authentication fails and the following message is logged in the apache error log:

[Tue Jan 20 16:43:18.459760 2026] [auth_mellon:error] [pid 686360:tid 686382] [remote 10.86.18.4:49801] Error processing authn response. Lasso error: [-427] When looking for an assertion we did not found it., SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"

Downgrading the keycloak server to 26.4.6 makes the login work again. Note that the keycloak login itself seems to work, but auth_mellon is apparently no longer able to find some of the information it needs from the SAML response.

Version

26.5.1

Regression

  • The issue is a regression

Expected behavior

The login using auth_mellon should work as it did with keycloak 26.4.6 (and the many versions we had before).

Actual behavior

The login seems to work at the keycloak level, but auth_mellon seems unable to find the information it needs from the SAML response:

[Tue Jan 20 16:43:18.459760 2026] [auth_mellon:error] [pid 686360:tid 686382] [remote 10.86.18.4:49801] Error processing authn response. Lasso error: [-427] When looking for an assertion we did not found it., SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"

How to Reproduce?

  • Install keycloak 26.4.6 and add a SAML client that uses auth_mellon
  • Verify that login on the service protected by auth_mellon works
  • Upgrade keycloak to 26.5.1
  • Try to login on the resource gain

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.5.4release/26.6.0team/core-clients

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions