Shibboleth access control using shibboleth2.xml: Difference between revisions

Authentication requirements and access control rules can be defined in the shibboleth2.xml configuration file. This is the only way that will work with IIS; with Apache it's also possible to configure rules in the Apache configuration files. Its actually possible to mix the two approaches (with the Apache files taking precedence) but that way madness lies - it's much simpler to use one or the other.

This process uses XML elements inside a <RequestMap> element in the <RequestMapper> element of the configuration file. See Editing XML for hints about editing this XML file.

IIS Considerations

Apache considerations

Configuration examples

Any users

Require authentication but don't limit who can authenticate. Note, for SPs in the UK federation, that the authenticated user could be anyone with an identity on any SP in the federation.

Cambridge user

Require authentication from someone in the University but don't otherwise limit who can authenticate. This is achieved with a pattern match on 'user' which in turn contains the user's eduPersonPrincipleName.

Particular users

Note that usernames, being ePPNs, have '@cam.ac.uk' on the end.

Apache group membership

lookup group membership

lookup institution membership

Require authentication only

This forces the user to authenticate, but doesn't impose any access control. This is useful when you want to delegate access control to a protected web application. 'Require shibboleth' is a placeholder, required to trigger authentication under Apache.

Optional authentication