Skip to main content

Shibboleth in Web Hosting

For most users, an easy way to implement Shibboleth in OTDI Web Hosting is with an .htaccess file containing properly formatted Shibboleth directives. These instructions are for you. For users with non-PHP sites (ie; Python or Node.JS) you'll want to review the Shibboleth instructions on Running Javascript with an OTDI Hosted Website.

For the rest of us, start by creating a text file in the directory you want to protect, called ‘.htaccess’ (With a leading dot). If this file already exists, you can modify it to suit your needs but be cautions. It may contain conflicting directives and break your site. Make a backup!

There's no way for us to tell you exactly what your site needs, as every site is different. Instead, this document intends to explain some of the most common Shibboleth functions used in OTDI Web Hosting, and offer real-world examples of .htaccess file directives. 

Environment vs. Headers

By default, Shibboleth puts all of the session information into the Apache environment for your script to use.  This is the safe method as the remote client cannot make changes to the environment; however, sometimes it is necessary to enable the alternate method which places the session information into the request headers.  This alternate is almost never required on OTDI Web Hosting except in cases where the script expects them to be in the headers and you cannot modify its behavior.

Each method is independent and can be enabled simultaneously.  To enable header use, first review the documentation on Shibboleth’s spoof checking and then add the following to your .htaccess file:

ShibUseHeaders On

Environment variables are on by default and there is almost never a good reason to disable them but it can be done via the following in your .htaccess file:

ShibUseEnvironment Off

Examples

Mandatory authentication – any name.# account will be sufficient:

AuthType shibboleth
ShibRequestSetting redirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-session

Mandatory authentication – restricted to specific users:

AuthType shibboleth
ShibRequestSetting
redirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-user name.123@osu.edu
Require shib-user anothername.456@osu.edu

Lazy session – makes existing Shib session data available if it exists but does not mandate it:

AuthType shibboleth
Require shibboleth

Mandatory auth – faculty members only:

AuthType shibboleth
ShibRequestSetting redirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-attr affiliation faculty@osu.edu

Mandatory auth – anyone except students and alumni:

AuthType shibboleth
ShibRequestSetting redirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-attr affiliation ! ~ ^(student|alumni)@osu\.edu$

Mandatory auth – for URI paths which include specific words. (This allows Password-Protected WordPress pages under "/intranet/" to require Shibb before their secondary WP passwords.)

<If "%{REQUEST_URI} =~ m#^/intranet/#">
   AuthType shibboleth
   ShibRequestSetting redirectToSSL 443
   ShibRequestSetting requireSession 1
   Require shib-session
</If>

Mandatory auth – with BuckeyePass Multi-Factor Authentication (MFA). Please Note: Successful delivery of an MFA Challenge requires additional, external setup and device registration at BuckeyePass.

AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting authnContextClassRef urn:mace:osu.edu:shibboleth:ac:classes:mfa
Require shib-session
Require authnContextClassRef urn:mace:osu.edu:shibboleth:ac:classes:mfa

Mandatory auth – staff members currently enrolled in a degree program and with an even numbered name.# account:

AuthType shibboleth
ShibRequestSetting redirectToSSL 443
ShibRequestSetting requireSession 1
ShibRequireAll On
Require shib-attr affiliation employee@osu.edu
Require shib-attr affiliation student@osu.edu
Require shib-user ~ ^[a-z\-]+\.[0-9]*[02468]@osu\.edu$

(This last one isn’t actually useful – it’s just to show how flexible these rules can be)

For a more complete list of Shibboleth options, please visit:

And finally, please OSU Web Hosting only supports access for OSU Name.# accounts. Access for other InCommon members is planned for the future.