pkgsrc/www/ap2-auth-mellon/MESSAGE

===========================================================================
$NetBSD: MESSAGE,v 1.5 2021/11/15 18:17:05 wiz Exp $

In order to use this module in your Apache installation, you need to
add the following to your httpd.conf file:

  LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so

If upgrading from version prior 0.14.0, please note the following
backward-incompatible change:

* This version switches the default signature algorithm used when
  signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
  allow messages to be signed with that algorithm, you need to add a
  setting switching back to the old algorithm:

  MellonSignatureMethod rsa-sha1

  Note that this only affects messages sent from mod_auth_mellon to your
  IdP. It does not affect authentication responses or other messages
  sent from your IdP to mod_auth_mellon.

If upgrading from version prior 0.6.0, please note the following
backward-incompatible changes:

* The POST replay functionality has been disabled by default, and the
  automatic creation of the MellonPostDirectory target directory has been
  removed. If you want to use the POST replay functionality, create a
  directory accessible only by the apache user (e.g.: /var/spool/mellon)
  and add this after the LoadModule for mod_auth_mellon.so:

  MellonPostDirectory /var/spool/mellon

* Start discovery service when accessing the login endpoint. We used
  to bypass the discovery service in this case, and just pick the first
  IdP. This has been changed to send a request to the discovery service
  instead, if one is configured.

* The MellonLockFile default path has been changed to:
    /var/run/mod_auth_mellon.lock
  This only affects platforms where a lock file is required and
  where Apache doesn't have write access to that directory during
  startup. (Apache can normally create files in that directory
  during startup.)

===========================================================================