Shibboleth access control using shibboleth2.xml: Difference between revisions
mNo edit summary |
(WIP) |
||
| Line 1: | Line 1: | ||
Authentication requirements and access control rules can be defined in the shibboleth2.xml configuration file. This is the only way that will work with IIS; with Apache it's also possible to [[Shibboleth access control using Apache configuration files | configure rules in the Apache configuration files]]. Its actually possible to mix the two approaches (with the Apache files taking precedence) but that way madness lies - it's much simpler to use one or the other. | Authentication requirements and access control rules can be defined in the shibboleth2.xml configuration file. This is the only way that will work with IIS; with Apache it's also possible to [[Shibboleth access control using Apache configuration files | configure rules in the Apache configuration files]]. Its actually possible to mix the two approaches (with the Apache files taking precedence) but that way madness lies - it's much simpler to use one or the other. | ||
==IIS Considerations== | |||
Under IIS the SP software needs some additional configuration information to allow it to obtain canonical scheme, host, and port information about an incoming request. This is achieved by a <ISAPI> element inside the <InProcess> element of the configuration file. See | |||
https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI | |||
for more details. | |||
==Apache considerations== | ==Apache considerations== | ||
Under Apache, the SP software requires that the <tt>ServerName</tt> is correctly set to reflect the name of the site and that the <tt>UseCanonicalName</tt> directive is set to 'On'. Without this it may be possible to access the site using an alias and so bypass any access control implemented in shibboleth2.xml. | |||
==Configuration examples== | ==Configuration examples== | ||
All of the following configuration examples should appear inside a <RequestMap> element in the <RequestMapper> element of the shibboleth2.xml configuration file. See [[editing XML]] for hints about editing XML files. | |||
===Any users=== | ===Any users=== | ||
Revision as of 12:19, 17 March 2009
Authentication requirements and access control rules can be defined in the shibboleth2.xml configuration file. This is the only way that will work with IIS; with Apache it's also possible to configure rules in the Apache configuration files. Its actually possible to mix the two approaches (with the Apache files taking precedence) but that way madness lies - it's much simpler to use one or the other.
IIS Considerations
Under IIS the SP software needs some additional configuration information to allow it to obtain canonical scheme, host, and port information about an incoming request. This is achieved by a <ISAPI> element inside the <InProcess> element of the configuration file. See
https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI
for more details.
Apache considerations
Under Apache, the SP software requires that the ServerName is correctly set to reflect the name of the site and that the UseCanonicalName directive is set to 'On'. Without this it may be possible to access the site using an alias and so bypass any access control implemented in shibboleth2.xml.
Configuration examples
All of the following configuration examples should appear inside a <RequestMap> element in the <RequestMapper> element of the shibboleth2.xml configuration file. See editing XML for hints about editing XML files.
Any users
Require authentication but don't limit who can authenticate. Note, for SPs in the UK federation, that the authenticated user could be anyone with an identity on any SP in the federation.
Cambridge user
Require authentication from someone in the University but don't otherwise limit who can authenticate. This is achieved with a pattern match on 'user' which in turn contains the user's eduPersonPrincipleName.
Particular users
Note that usernames, being ePPNs, have '@cam.ac.uk' on the end.
Apache group membership
lookup group membership
lookup institution membership
Require authentication only
This forces the user to authenticate, but doesn't impose any access control. This is useful when you want to delegate access control to a protected web application. 'Require shibboleth' is a placeholder, required to trigger authentication under Apache.
