Carnegie Mellon University

Protect Your Web Pages

Once you have completed all steps to install and configure Shibboleth, you have a number of different options to setup additional protections and authorization rules within your web application.  Depending on your operating system, follow the appropriate steps below. 

Note: For assistance with leveraging groups (Grouper or LDAP groups) with your Service Provider, please contact identity-services@andrew.cmu.edu.

Windows

Refer to the Wiki Shibboleth (Windows) document.

Linux

To protect a directory in shib.conf, use syntax similar to this with the appropriate Require directive. The Require directive tells Apache which user(s) may access the resource.

Note: Directory takes a full path as its argument; location takes a URL path.

Note: For more information on other authorization configuration options, please visit: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess.

To allow users within a particular Grouper group to access a resource, include the following:  Note: Please contact identity-services@andrew.cmu.edu to request the release of any group attributes.

edit /etc/shibboleth/attribute-map.xml and uncomment or add the line:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf" />

<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
 <RequireAll>
     require shib-user ~ .*@andrew.cmu.edu$
     require shib-attr isMemberOf cn=<GROUP NAME>,ou=groups,dc=cmu,dc=edu
 </RequireAll>
</Location>


To allow ALL Carnegie Mellon affiliates to access the resource, include the following:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$
</Directory>

OR

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$
</Location>

To allow a specific list of people to access the resources, include the following. List each person in the prescribed format:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu
</Directory>

OR

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu
</Location>

To allow federated access (access from all InCommon members), include the following:

<Directory /full/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
</Directory>

OR

<Location /url/path/to/protect>
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
</Location>

To protect a directory via htaccess, create an .htaccess file which includes the default commands and the Require directive. The Require directive tells Apache which user(s) may access the resource.

To allow all users from Carnegie Mellon to access the resource, include the following:

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$

To allow a specific list of users to access the resources, include the following listing each user in the prescribed format    :

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu

To allow federated access (access from ALL InCommon members), include the following:

AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth

For questions about the federation, please contact identity-services@andrew.cmu.edu or see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess

Note: If you are protecting a CGI directory, you can access the userIDs through the remote_userenvironment variable.