Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Using Shibboleth to protect content

This page provides basic examples on how to protect web content using Shibboleth and Apache. Shibboleth supports a much larger set of configuration and access control options than are described here.

Basic Shibboleth access control

For most common use cases, the Shibboleth directives in your .htaccess file or Apache configuration file section will start with the following three lines:

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require [Some authentication criterion, such as "valid-user"]

Those lines tell Apache to:

  1. Use the Shibboleth module for authentication
  2. Have the module redirect unauthenticated attempts to access protected content to an authentication (login) page in order to start a session.
  3. Require that some specfic criteria be met in order to access that content
Notes:
  • Important: You must have one or more "Require" directives. If you do not, your content will not be protected.
  • Some documentation uses the directive "ShibRequireSession on" instead of "ShibRequestSetting requireSession 1". Those two directives have the same effect. ShibRequireSession is deprecated in newer Shibboleth releases.
  • You may see examples with the Require directive "Require Shibbolith" and no requireSession directive. That should only be used when there is an application behind Shibboleth that does its own access control (e.g. a wiki that has its own login screen and session mechanism), because that Shibboleth configuration provides no access control by itself.

Access control examples

Allow any authenticated user

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require valid-user
Notes:
  • Depending on how your Server is configured, Shibboleth may allow authentication by people who are not associated with Carnegie Mellon (e.g. people from Pitt or other universities and organizations). If that is a concern, you may want to use more specific Require directives.

Allow a specific list of users

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require user bovik@cs.cmu.edu
Require user kivob@andrew.cmu.edu
Notes:
  • The Andrew Pubcookie-based authentication service used upper-case "realm" names (e.g. CS.CMU.EDU and ANDREW.CMU.EDU). The Shibboleth service uses lower-case names. If you are protecting web content served from www.cs.cmu.edu, you do not have to do anything about this --- SCS Facilities has made modifications to www.cs.cmu.edu that eliminate this problem. If your content is not served from www.cs.cmu.edu, you should modify your .htaccess and Apache config files to reflect the change from upper to lower ,case

Only allow people that authenticate with an SCS account and force SSL connections

AuthType Shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting redirectToSSL 443
require eppn   ~ .*@cs.cmu.edu
Notes:
  • "ShibRequestSetting redirectToSSL 443" will redirect non-SSL requests to SSL at the given port.
  • A "~" causes the rest of the parameters to be interpreted as regular expressions
  • eppn: eduPersonPrincipalName, a globally unique identifier of the form <locally unique id>@<organizational namespace>.

Related information

Apache Service Provider documentation (off-site link)
Official Shibboleth documentation for Apache-based content servers, including some setup information and detailed information about controlling access to pages.