Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Accounts
Network, Phone & TV
Software
Email, Calendar, Mobile
Secure Your Computer
Clusters & Printing
Web Services
Web Login / WebISO
Shibboleth (WebLogin)
About
Attribute Release Policy
Installing Shibboleth
Migration/Upgrade Tip
Protecting Your Web Pages: Linux
Advanced Topics
Services Using Web Login
Academic Technology Services
Technical Support & Services
Training & Education
Campus Partners
Information Security Office (ISO)
Media Technology Services

Protecting Your Web Pages: Linux

Once you have completed all steps to install and configure Shibboleth, you can use it to protect a directory on your web server.

Note: The file /etc/httpd/conf.d/shib.conf contains the following syntax that you will likely want to change:

<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
<Location>

Apache or .htaccess Files

Shibboleth is similar to pubcookie or other apache authentication methods where you may use either direct Apache configuration or .htaccess files to restrict pages to authenticated access only.

The environment variable REMOTEUSER will be set to "user@domain". Remember that Shibboleth can provide authentication access from many different identity provider; you MUST examine both the user and domain components of the REMOTEUSER to restrict access.

Configure via httpd.conf

To protect a directory in httpd.conf, use syntax similar to this:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
</Directory>

-OR-

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
</Location>

Note: Directory takes a full path as its argument; location takes a URL path.

Configure via .htaccess

To protect a directory via htaccess, create an .htaccess file and include the following within it:

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth

The Require directive tells Apache which user(s) may access the resource. If you configure to "Require Shibboleth", anyone who authenticates can access the resource. To allow specific users, incorporate this syntax:

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu

In the example above, any of the users included on the "require" line will be allowed access to the resource.

Note: If you are protecting a CGI directory, you can access the userIDs through the REMOTE_USER environment variable.

Last Updated: 10/24/11