Carnegie Mellon University Website Home Page
 

Protecting Your Web Pages: Linux

Once you have completed all steps to install and configure Shibboleth, you can use it to protect a directory on your web server.

Note: The file /etc/httpd/conf.d/shib.conf contains the following syntax that you will likely want to change:

<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
<Location>

Apache or .htaccess Files

Shibboleth is similar to pubcookie or other apache authentication methods where you may use either direct Apache configuration or .htaccess files to restrict pages to authenticated access only.

The environment variable remote_user will be set to "user@domain". Remember that Shibboleth can provide authentication access from many different identity provider; you MUST examine both the user and domain components of the remote_user to restrict access.

Configure via httpd.conf

To protect a directory in httpd.conf, use syntax similar to this with the appropriate Require directive. The Require directive tells Apache which user(s) may access the resource.

Note: Directory takes a full path as its argument; location takes a URL path.

Note: Examples provided below are relevant to Shibboleth SP v2.5.2. Be aware that older versions may require other commands.  For more detailed information, refer to the Shibboleth wiki.


To allow ALL Carnegie Mellon affiliates to access the resource, include the following:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$
</Directory>

OR

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$
</Location>

To allow a specific list of people to access the resources, include the following. List each person in the prescribed format:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu
</Directory>

OR

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu
</Location>

To allow federated access (access from all InCommon members), include the following:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
</Directory>

OR

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
</Location>


Configure via .htaccess

To protect a directory via htaccess, create an .htaccess file which includes the default commands and the Require directive. The Require directive tells Apache which user(s) may access the resource.

To allow all users from Carnegie Mellon to access the resource, include the following:

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$

To allow a specific list of users to access the resources, include the following listing each user in the prescribed format    :

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu

To allow federated access (access from ALL InCommon members), include the following:

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth

For questions about the federation, please contact identity-services@andrew.cmu.edu<mailto:identity-services@andrew.cmu.edu> or see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess

Note: If you are protecting a CGI directory, you can access the userIDs through the remote_user environment variable.

Last Updated: 10/17/13