Protect Your Web Pages
Once you have completed all steps to install and configure Shibboleth, you have a number of different options to setup additional protections and authorization rules within your web application. Depending on your operating system, follow the appropriate steps below.
Note: For assistance with leveraging groups (Grouper or LDAP groups) with your Service Provider, please contact identity-services@andrew.cmu.edu.
Windows
Refer to the Wiki Shibboleth (Windows) document.
Linux
Configure via shib.conf
To protect a directory in shib.conf, use syntax similar to this with the appropriate Require directive. The Require directive tells Apache which user(s) may access the resource.
Note: Directory takes a full path as its argument; location takes a URL path.
Note: For more information on other authorization configuration options, please visit: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess.
To allow users within a particular Grouper group to access a resource, include the following: Note: Please contact identity-services@andrew.cmu.edu to request the release of any group attributes. |
edit /etc/shibboleth/attribute-map.xml and uncomment or add the line: <Location /secure> |
To allow ALL Carnegie Mellon affiliates to access the resource, include the following: |
<Directory /full/path/to/protect> OR <Location /url/path/to/protect> |
To allow a specific list of people to access the resources, include the following. List each person in the prescribed format: |
<Directory /full/path/to/protect> OR <Location /url/path/to/protect> |
To allow federated access (access from all InCommon members), include the following: |
<Directory /full/path/to/protect> OR <Location /url/path/to/protect> |
Configure via .htaccess
To protect a directory via htaccess, create an .htaccess file which includes the default commands and the Require directive. The Require directive tells Apache which user(s) may access the resource.
To allow all users from Carnegie Mellon to access the resource, include the following:
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shib-user ~ ^.+@andrew.cmu.edu$
To allow a specific list of users to access the resources, include the following listing each user in the prescribed format :
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require user ju33@andrew.cmu.edu
require user je2i@andrew.cmu.edu
To allow federated access (access from ALL InCommon members), include the following:
AuthType Shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
Require Shibboleth
For questions about the federation, please contact identity-services@andrew.cmu.edu or see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess
Note: If you are protecting a CGI directory, you can access the userIDs through the remote_userenvironment variable.