SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Using Shibboleth to protect content

This page provides basic examples on how to protect web content using Shibboleth and Apache. Shibboleth supports a much larger set of configuration and access control options than are described here.

Basic Shibboleth access control

For most common use cases, the Shibboleth directives in your .htaccess file or Apache configuration file section will start with the following three lines:

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require [Some authentication criterion, such as "valid-user"]

Those lines tell Apache to:

  1. Use the Shibboleth module for authentication
  2. Have the module redirect unauthenticated attempts to access protected content to an authentication (login) page in order to start a session.
  3. Require that some specfic criteria be met in order to access that content
  • Important: You must have one or more "Require" directives. If you do not, your content will not be protected.
  • Some documentation uses the directive "ShibRequireSession on" instead of "ShibRequestSetting requireSession 1". Those two directives have the same effect. ShibRequireSession is deprecated in newer Shibboleth releases.
  • You may see examples with the Require directive "Require Shibbolith" and no requireSession directive. That should only be used when there is an application behind Shibboleth that does its own access control (e.g. a wiki that has its own login screen and session mechanism), because that Shibboleth configuration provides no access control by itself.

Access control examples

Allow any authenticated user

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require valid-user
  • Depending on how your Server is configured, Shibboleth may allow authentication by people who are not associated with Carnegie Mellon (e.g. people from Pitt or other universities and organizations). If that is a concern, you may want to use more specific Require directives.

Allow a specific list of users

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require user
Require user
  • The Andrew Pubcookie-based authentication service used upper-case "realm" names (e.g. CS.CMU.EDU and ANDREW.CMU.EDU). The Shibboleth service uses lower-case names. If you are protecting web content served from, you do not have to do anything about this --- SCS Facilities has made modifications to that eliminate this problem. If your content is not served from, you should modify your .htaccess and Apache config files to reflect the change from upper to lower case.

Only allow people that authenticate with an SCS account and force SSL connections

AuthType Shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting redirectToSSL 443
require eppn   ~ .*
  • "ShibRequestSetting redirectToSSL 443" will redirect non-SSL requests to SSL at the given port.
  • A "~" causes the rest of the parameters to be interpreted as regular expressions
  • eppn: eduPersonPrincipalName, a globally unique identifier of the form <locally unique id>@<organizational namespace>.

Related information

Apache Service Provider documentation (off-site link)
Official Shibboleth documentation for Apache-based content servers, including some setup information and detailed information about controlling access to pages.