HTACCESS Control

 Quick Start

Available To:  Students, Faculty, Staff

Cost:  No charge.

 See Getting Started below.

Clemson Shibboleth authentication may be used to control access to material on the web using an htaccess file. In the directory (Folder) requiring authentication, create the htacccess file with the following contents:

HTACCESS file Example:

Any Clemson User:

AuthType shibboleth
ShibRequireSession On
require shib-session

This example will allow anyone with a valid clemson username and password access.

Specific Users:

If you wanted to limit it to specific usernames, then you would replace the line:

require shib-session

with something like:

require shib-user cyclist 
require shib-user tharon 
require shib-user fred

This would allow only the users cyclist, tharon and fred access.

Employees Only:

If you wanted to limit it to specific usernames, then you would replace the line:

require shib-attr primary-affiliation employee

Students Only:

If you wish to allow only Clemson students, change the last line as shown in this example:

require shib-attr primary-affiliation student

Employees, Students and Affiliates:

If you wish to allow Clemson employees, students, and affiliates follow this example:

require shib-attr primary-affiliation student
require shib-attr primary-affiliation employee
require shib-attr primary-affiliation affiliate

Groups:

Membership in departments, workgroups or course sections may also be used to restrict access to content as shown in the following 3 examples:

require shib-attr edirgroup .DCIT2803_CAMPUS_CONSULTANTS.groups.people.cuid

require shib-attr legacyGroup .dcitweb.web+groups.cts.dcit.clemsonu

require shib-attr clemsonGroup coes0902_gen_engr_stud

You can have multiple group lines as well. The only things to look out for with groups are that the inital period (.) is required and if the eDirectory groupname has spaces in it, then you must replace the spaces with plus signs. So, to limit access to the eDirectory group .dcitweb.web groups.cts.dcit.clemsonu the line would look like:

require shib-attr group dcitweb.web+groups.cts.dcit.clemsonu

Environmental Variables

Shibboleth returns variables in the Apache Environment array on most Linux-hosted Web Servers. This table shows the lists of variables available for an htaccess file.

Table Legend:
Available by Default: Default
Requires Request or MOU by University Data Stewards: Req

Variable Name Requires Request Requires MOU
Variable names are case sensitive when used in an htaccess file
acad-class REQ
clemsonGroup Default
clemsonPrimaryUserName Default
clemsonPublishedUserName Default
clemsonUsernames Default
clemsonXID REQ
cn Default
deveduPersonPrimaryAffiliation Default
edirgroup Default
eppn Default
fullName REQ
givenName REQ
legacyGroup Default
mail REQ
nickname REQ
primary-affiliation Default
primaryUserName Default
publishedUserName Default
sn
REQ
unscoped-affiliation Default
user Default
workforceID REQ

Documentation:

Shibboleth: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration

 Quick Start

Available To:  Students, Faculty, Staff

Cost:  No charge.

 See Getting Started.