Apache2 mod_mellon: How to get "MELLON_NAME_ID" in CustomLog?

Question

I use Apache2.4 with mod_mellon as a SAML auth solution against Azure. This works okay, but I'm like to have the UPN of the user in my custom logs.

So I tried different approaches but without luck yet:

 CustomLog /var/log/apache2/myhost_request.log \
          "%t %h %{MELLON_NAME_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %H \"%r\" %b"

I also tried with %{MELLON_NAME_ID}x which I found somewhere, but still no output.

Is it not available to the logging engine? If so, is there a work-around for this?

Answer 1

I found a hint that led to a solution here:

One needs to modify the SP XML that is generated by the "mellon_create_metadata.sh" script like this:

    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
  </SPSSODescriptor>

becomes:

    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
  </SPSSODescriptor>

After adding the line, the user appears with his/her e-mail-address in the log. I think that's okay for my purpose.