When an ECP client signals it is ECP capable and authentication is required for the protected resource it is trying to access mellon responds with PAOS content that wraps the SAML AuthnRequest. The HTTP Content-Type header must be "application/vnd.paos+xml". However in some versions of Apache the returned Content-Type header is "text/html" which breaks the ECP flow because the ECP client does not expect it. The problem arises because mellon was using the wrong Apache call to set the Content-Type header. In some versions of Apache this worked but in others it did not. Upstream bug: https://github.com/UNINETT/mod_auth_mellon/issues/108 Upstream git commit: 040a1ae5cb2aab38b2bc716cc3d0d6fa7b998a7a
mod_auth_mellon-0.12.0-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1e7da20dd
mod_auth_mellon-0.12.0-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1e7da20dd
mod_auth_mellon-0.12.0-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.