Using Shibboleth to protect content
This page provides basic examples on how to protect web content using Shibboleth and Apache. Shibboleth supports a much larger set of configuration and access control options than are described here.
Basic Shibboleth access control
For most common use cases, the Shibboleth directives in your .htaccess file or Apache configuration file section will start with the following three lines:
AuthType Shibboleth ShibRequestSetting requireSession 1 Require [Some authentication criterion, such as "valid-user"]
Those lines tell Apache to:
- Use the Shibboleth module for authentication
- Have the module redirect unauthenticated attempts to access protected content to an authentication (login) page in order to start a session.
- Require that some specfic criteria be met in order to access that content
- Important: You must have one or more "Require" directives. If you do not, your content will not be protected.
- Some documentation uses the directive "ShibRequireSession on" instead of "ShibRequestSetting requireSession 1". Those two directives have the same effect. ShibRequireSession is deprecated in newer Shibboleth releases.
- You may see examples with the Require directive "Require Shibbolith" and no requireSession directive. That should only be used when there is an application behind Shibboleth that does its own access control (e.g. a wiki that has its own login screen and session mechanism), because that Shibboleth configuration provides no access control by itself.
Access control examples
Allow any authenticated user
AuthType Shibboleth ShibRequestSetting requireSession 1 Require valid-userNotes:
- Depending on how your Server is configured, Shibboleth may allow authentication by people who are not associated with Carnegie Mellon (e.g. people from Pitt or other universities and organizations). If that is a concern, you may want to use more specific Require directives.
Allow a specific list of users
AuthType Shibboleth ShibRequestSetting requireSession 1 Require user email@example.com Require user firstname.lastname@example.orgNotes:
- The Andrew Pubcookie-based authentication service used upper-case "realm" names (e.g. CS.CMU.EDU and ANDREW.CMU.EDU). The Shibboleth service uses lower-case names. If you are protecting web content served from www.cs.cmu.edu, you do not have to do anything about this --- SCS Facilities has made modifications to www.cs.cmu.edu that eliminate this problem. If your content is not served from www.cs.cmu.edu, you should modify your .htaccess and Apache config files to reflect the change from upper to lower case.
Only allow people that authenticate with an SCS account and force SSL connections
AuthType Shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting redirectToSSL 443 require eppn ~ .*@cs.cmu.eduNotes:
- "ShibRequestSetting redirectToSSL 443" will redirect non-SSL requests to SSL at the given port.
- A "~" causes the rest of the parameters to be interpreted as regular expressions
- eppn: eduPersonPrincipalName, a globally unique identifier of the form <locally unique id>@<organizational namespace>.
- Apache Service Provider documentation (off-site link)
- Official Shibboleth documentation for Apache-based content servers, including some setup information and detailed information about controlling access to pages.