Combine apache auth providers of different types with basic auth only if proactively provided by client

Question

I'd like to be able to have a path on an apache server (2.4.18+ on ub16) that primarily authenticates using SAML (using the mod_auth_mellon plugin) for interactive use, but also supports having the caller pre-emptively send Basic auth credentials. (Think REST api endpoint that normally triggers an interactive form login, but will allow bypass if you pre-send basic auth credentials.)

Essentially I'm looking for this behavior:

• If creds are sent with request:
  • Try them, and if they work, allow the request
• If above creds fail, or none were provided
  • Trigger the preferred authentication plugin.

Is such a thing possible? I'd prefer to NOT push this back into the application itself.

What I do NOT want to happen is for the apache server to send back the response triggering the basic auth dialog.

Answer 1

Answering my own question.... dug around on this some more and came up with the following which seems to work:

<Location />
<If "-n req('Authorization')">
    AuthName "Active Directory"
    AuthBasicProvider ldap
    AuthType basic
    AuthLDAPMaxSubGroupDepth 0
    AuthLDAPBindAuthoritative off
    AuthLDAPRemoteUserAttribute sAMAccountName
    AuthLDAPInitialBindPattern (.+) $1@yyyyy
    AuthLDAPInitialBindAsUser on
    AuthLDAPSearchAsUser on
    AuthLDAPCompareAsUser on
    AuthLDAPUrl "ldaps://xxx,dc=com?sAMAccountName,memberOf?sub"
    LDAPReferrals Off

    require valid-user
</If>
<Else>
    Require valid-user
    AuthType "Mellon"
    MellonEnable "auth"
    MellonVariable "cookie"
    MellonEndpointPath "/sso"
    MellonDefaultLoginPath "/"
    MellonSubjectConfirmationDataAddressCheck Off
    MellonSessionLength 86400
    MellonSPPrivateKeyFile /...../sp-private-key.pem
    MellonIdPMetadataFile /...../idp-metadata.xml
    MellonDoNotVerifyLogoutSignature https://........
</Else>
</Location>

Anyone see anything wrong with this approach?