Configuring Shibboleth access control: Difference between revisions
No edit summary |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{New Docs}} | |||
The example configuration files require authentication for access to all URLs with paths starting <tt>/secure</tt>. This is only intended for test and demonstration purposes and you will want to customise this behaviour so that access to URLs of your choice is controlled both by a user's ability to authenticate and the attributes made available about them. | The example configuration files require authentication for access to all URLs with paths starting <tt>/secure</tt>. This is only intended for test and demonstration purposes and you will want to customise this behaviour so that access to URLs of your choice is controlled both by a user's ability to authenticate and the attributes made available about them. | ||
Line 4: | Line 6: | ||
* Access control decisions can be made by the SP software using configuration information in the shibboleth2.xml file. This applies to both static content and to web applications. | * Access control decisions can be made by the SP software using configuration information in the shibboleth2.xml file. This applies to both static content and to web applications. | ||
* Under Apache only, access control decisions can be made by the SP software using configuration information in Apache configuration files (httpd.conf and friends, and .htaccess). This also applies to both static content and web applications. | * Under Apache only, access control decisions can be made by the SP software using configuration information in Apache configuration files (httpd.conf and friends, and .htaccess). This also applies to both static content and web applications. | ||
* | * Access control decisions can be left to a web application with the SP restricting itself to authenticating the user and providing attributes to the application. Obviously this only applies to protection of web applications. | ||
In addition, for the third option, the SP con be configured not to actually require authentication but to trigger it when the user accesses a special 'virtual' | In addition, for the third option, the SP con be configured not to actually require authentication but to trigger it when the user accesses a special 'virtual' URL provided by the SP software, a set up sometimes called 'lazy session establishment'. | ||
There are a huge range of options, too many to detail here. Internet2's documentation start here | There are a huge range of options, too many to detail here. Internet2's documentation start here | ||
https:// | https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent | ||
and is likely to be useful. We also have a set of examples of | |||
* '''[[Shibboleth access control using shibboleth2.xml | Using shibboleth2.xml]]'''; and | |||
* '''[[Shibboleth access control using Apache configuration files | Using Apache configuration files]]''' |
Latest revision as of 11:41, 3 March 2020
We're working on improving Raven resources for developers and site operators.
Try out the new Raven documentation for size.
The example configuration files require authentication for access to all URLs with paths starting /secure. This is only intended for test and demonstration purposes and you will want to customise this behaviour so that access to URLs of your choice is controlled both by a user's ability to authenticate and the attributes made available about them.
You have three choices for implementing access control:
- Access control decisions can be made by the SP software using configuration information in the shibboleth2.xml file. This applies to both static content and to web applications.
- Under Apache only, access control decisions can be made by the SP software using configuration information in Apache configuration files (httpd.conf and friends, and .htaccess). This also applies to both static content and web applications.
- Access control decisions can be left to a web application with the SP restricting itself to authenticating the user and providing attributes to the application. Obviously this only applies to protection of web applications.
In addition, for the third option, the SP con be configured not to actually require authentication but to trigger it when the user accesses a special 'virtual' URL provided by the SP software, a set up sometimes called 'lazy session establishment'.
There are a huge range of options, too many to detail here. Internet2's documentation start here
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent
and is likely to be useful. We also have a set of examples of