NetID Login Service - Requiring Shibboleth Authentication

This document lists the methods for requiring authentication for Shibboleth-enabled web applications on the Windows and Linux/Apache platforms.

Windows

To require Shibboleth authentication for specific directories, you need to edit the RequestMapper section of the shibboleth2.xml. List each directory you want to protect as a Path within the application's Host element in the RequestMapper.

Shibboleth will put together the hostname followed by the paths you define, and use this information to determine which URLs to protect. These are not physical paths, but URLs, so use forward slashes to separate subdirectories. More details here on hostnames and paths.

In the example below, a new subdirectory new_path has been added for sp.example.org and the entire newsite.wisc.edu is protected by adding authType="shibboleth" requireSession="true" to the Host element.


<RequestMapper type="Native">

<RequestMap applicationId="default">



<Host name="sp.example.org">

<Path name="secure" authType="shibboleth" requireSession="true" redirectToSSL="443"/>

<Path name="new_path" authType="shibboleth" requireSession="true" redirectToSSL="443"/>

</Host>



<Host name="newsite.wisc.edu" authType="shibboleth" requireSession="true" redirectToSSL="443"/>



</RequestMap>

</RequestMapper>

The redirectToSSL="443" attribute is important, because it forces the request for the protected path to SSL, preventing user information from being sent over the internet unencrypted.

The RequestMapper is a reloadable resource, so the settings will be updated every time you save the shibboleth2.xml.

Linux/Apache

Once the installation of the Shibboleth 2 SP is complete, you can require Shibboleth authentication for accessing any directory in your site/application by adding Apache directives in the .conf file or .htaccess. 

A note about security: It's very important to limit cookie use to encrypted requests. SSL should be required for any URL using Shibboleth authentication. To ensure that SSL is always used, you want to redirect protected paths to SSL using native Apache functionality (i.e. redirects or rewrite rules).

httpd.conf

It's best to identify the directory by its physical path.  You need to require a Shibboleth session and set Require valid-user, which will make the directory available to anyone successfully logging in with a UW NetID.

Example:

<Directory "/var/www/yoursite.wisc.edu/html/shib">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Directory>

There are a number of variations on these settings.  For example, you can use the AuthGroupFile and Require Group attributes to limit access to the directory to specific NetIDs only.  As usual with settings in the httpd.conf file, an Apache restart is required for the changes to take effect.

.htaccess

You can also configure Shibboleth protection for a directory using an .htaccess file.  This method is especially helpful for web developers who do not have access to the httpd.conf file or in cases where an Apache restart is not practical.  

The syntax is almost the same as in the httpd.conf example, except that the directory information is not necessary:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user

The directives will apply to the directory where the .htaccess file is located and to its subdirectories.

For more information...

The full range of configuration options for Apache can be found here on the Shibboleth wiki.