Shibboleth access control using Apache configuration files

From RavenWiki
Revision as of 14:31, 17 March 2009 by jw35 (talk | contribs) (→‎Particular users: Explain where 'user' comes from)
Jump to navigationJump to search

Configuration examples

All of the following sets of directives should appear in an appropriate <Location> or <Directory> block, or in a .htaccess file. The names of attributes released by Raven on which access control decisions can be made can be found on Attributes released by the Raven IdP. Other IdPs will probably only release affiliation and targeted-id unless special arrangements are made in advance.

There doesn't seem to be a good reference for all the Apache directives - see Shibboleth SP Apache Directives for a basic summary extracted from the module source code.

Any users

Require authentication but don't limit who can authenticate. Note, for SPs in the UK federation, that the authenticated user could be anyone with an identity on any IdP in the federation.

 AuthType shibboleth
 ShibRequireSession On
 Require valid-user

Particular users

Exactly which attributes Shibboleth uses for 'user' is controlled by the REMOTE_USER attribute of the <ApplicationDefaults> element in shibboleth2.xml. By default this is the first of the 'eppn', 'persistent-id', or 'targeted-id' attribudes that has a value. Note that when user is based on eppn it will have '@cam.ac.uk' on the end for University users.

 AuthType shibboleth
 ShibRequireSession On
 Require user jw35@cam.ac.uk fjc55@cam.ac.uk

Cambridge user

Require authentication from someone in the University but don't otherwise limit who can authenticate. This is achieved with a pattern match on 'user' which in turn contains the user's eduPersonPrincipleName.

 AuthType shibboleth
 ShibRequireSession On
 Require user ~ @cam.ac.uk$

Apache group membership

 AuthType shibboleth
 ShibRequireSession On
 AuthGroupFile /var/www/data/shib-groupfile
 Require group 10cc

where /var/www/data/shib-groupfile contains

 10cc: jw35@cam.ac.uk kmg10@cam.ac.uk lnc@man.ac.uk

Group membership in lookup

 AuthType shibboleth
 ShibRequireSession On
 Require groupID 100852

Institution membership in lookup

 AuthType shibboleth
 ShibRequireSession On
 Require instID CS

More complex combinations

Requirements are by default 'OR'ed together, so this requires that the user is either a member of lookup group 100852 or part of the Computing Service:

 AuthType shibboleth
 ShibRequireSession On
 Require groupID 100852
 Require instID CS

The ShibRequireAll directive can be used to change this so that requirements are 'AND'ed together - this requires that the user is both a member of lookup group 100852 and part of the Computing Service:

 AuthType shibboleth
 ShibRequireSession On
 ShibRequireAll On
 Require groupID 100852
 Require instID CS

Apache does not support micing AND and OR.

Require authentication only

This forces the user to authenticate, but doesn't impose any access control. This is useful when you want to delegate access control to a protected web application. 'Require shibboleth' is a placeholder, required to trigger authentication under Apache.

 AuthType shibboleth
 ShibRequireSession On
 Require shibboleth

Optional authentication

With this configuration, the Shibboleth SP won't actually require users to authenticate:

 AuthType shibboleth
 Require shibboleth

However if they follow a link to https://<sitename>/Shibboleth.sso/Login then this _will_ trigger authentication, after which any attributes of the user will be available to web applications which can customise their behaviour accordingly. It's useful to provide a URL to link to after the user has authenticated - use a target= parameter and supply it with a URL-escaped URL.