HTACCESS Control
Clemson Shibboleth authentication may be used to control access to material on the web using an htaccess file. In the directory (Folder) requiring authentication, create the htacccess file with the following contents:
HTACCESS file Example:
Any Clemson User:
AuthType shibboleth ShibRequireSession On require shib-session
This example will allow anyone with a valid clemson username and password access.
Specific Users:
If you wanted to limit it to specific usernames, then you would replace the line:
require shib-session
with something like:
require shib-user cyclist require shib-user tharon require shib-user fred
This would allow only the users cyclist, tharon and fred access.
Employees Only:
If you wanted to limit it to specific usernames, then you would replace the line:
require shib-attr primary-affiliation employee
Students Only:
If you wish to allow only Clemson students, change the last line as shown in this example:
require shib-attr primary-affiliation student
Employees, Students and Affiliates:
If you wish to allow Clemson employees, students, and affiliates follow this example:
require shib-attr primary-affiliation student require shib-attr primary-affiliation employee require shib-attr primary-affiliation affiliate
Groups:
Membership in departments, workgroups or course sections may also be used to restrict access to content as shown in the following 3 examples:
require shib-attr edirgroup .DCIT2803_CAMPUS_CONSULTANTS.groups.people.cuid require shib-attr legacyGroup .dcitweb.web+groups.cts.dcit.clemsonu require shib-attr clemsonGroup coes0902_gen_engr_stud
You can have multiple group lines as well. The only things to look out for with groups are that the inital period (.) is required and if the eDirectory groupname has spaces in it, then you must replace the spaces with plus signs. So, to limit access to the eDirectory group .dcitweb.web groups.cts.dcit.clemsonu the line would look like:
require shib-attr group dcitweb.web+groups.cts.dcit.clemsonu
Environmental Variables
Shibboleth returns variables in the Apache Environment array on most Linux-hosted Web Servers. This table shows the lists of variables available for an htaccess file.
Table Legend:
Available by Default: Default
Requires Request or MOU by University Data Stewards: Req
Variable Name | Requires Request | Requires MOU |
Variable names are case sensitive when used in an htaccess file | ||
acad-class | REQ | |
clemsonGroup | Default | |
clemsonPrimaryUserName | Default | |
clemsonPublishedUserName | Default | |
clemsonUsernames | Default | |
clemsonXID | REQ | |
cn | Default | |
deveduPersonPrimaryAffiliation | Default | |
edirgroup | Default | |
eppn | Default | |
fullName | REQ | |
givenName | REQ | |
legacyGroup | Default | |
REQ | ||
nickname | REQ | |
primary-affiliation | Default | |
primaryUserName | Default | |
publishedUserName | Default | |
sn |
REQ
|
|
unscoped-affiliation | Default | |
user | Default | |
workforceID | REQ |
Documentation:
Shibboleth: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration