To use Shibboleth on your site, create a file in the directory to be protected called ‘.htaccess’ and place inside of it the specific configuration that section of your site needs. If this file already exists then you may be able to just append it; however, it may also contain conflicting directives so be cautious, make a reversion backup, etc.
Information on the OSU-specific aspects of our IdP can be found at https://webauth.service.ohio-state.edu/~shibboleth/.
Mandatory SSL
SSL is required to use Shibboleth in OSU Web Hosting. This is not a technical requirement of Shibboleth as it encrypts and signs session data via its own mechanisms. It is, however, required to prevent browsers from throwing warnings about POSTing data to an insecure URL. (Which your site is without SSL)
SSL is enabled by default for recent accounts. If your account does not have it then you will need to request 8help activate it.
Environment vs. Headers
By default Shibboleth puts all of the session information into the Apache environment for your script to use. This is the safe method as the remote client cannot make changes to the environment; however, sometimes it is necessary to enable the alternate method which places the session information into the request headers. This alternate is almost never required on OTDI Web Hosting except in cases where the script expects them to be in the headers and you cannot modify its behavior.
Each method is independent and can be enabled simultaineously. To enable header use, first review the documentation on Shibboleth’s spoof checking and then add the following to your .htaccess file:
ShibUseHeaders On
Environment variables are on by default and there is almost never a good reason to disable them but it can be done via the following in your .htaccess file:
ShibUseEnvironment Off
Examples
Mandatory authentication – any name.# account will be sufficient:
AuthType shibboleth ShibRequestSetting redirectToSSL 443 ShibRequestSetting requireSession 1 Require shib-session
Mandatory authentication – restricted to specific users:
AuthType shibboleth ShibRequestSetting redirectToSSL 443 ShibRequestSetting requireSession 1 Require shib-user name.123@osu.edu Require shib-user anothername.456@osu.edu
Lazy session – makes existing Shib session data available if it exists but does not mandate it:
AuthType shibboleth Require shibboleth
Mandatory auth – faculty members only:
AuthType shibboleth ShibRequestSetting redirectToSSL 443 ShibRequestSetting requireSession 1 Require shib-attr affiliation faculty@osu.edu
Mandatory auth – anyone except students and alumni:
AuthType shibboleth ShibRequestSetting redirectToSSL 443 ShibRequestSetting requireSession 1 Require shib-attr affiliation ! ~ ^(student|alumni)@osu\.edu$
Mandatory auth – staff members currently enrolled in a degree program and with an even numbered name.# account:
AuthType shibboleth ShibRequestSetting redirectToSSL 443 ShibRequestSetting requireSession 1 ShibRequireAll On Require shib-attr affiliation employee@osu.edu Require shib-attr affiliation student@osu.edu Require shib-user ~ ^[a-z\-]+\.[0-9]*[02468]@osu\.edu$
(This last one isn’t actually useful – it’s just to show how flexible these rules can be)
A more complete list of instructions can be found at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess. We recommend that you check any existing Shibboleth setups against this instructions page is it lists which existing directives are deprecated in Apache 2.4. While we’re currently running 2.2, configuring your website in a 2.4-friendly way now is fully supported and can prevent possible disruptions after a future upgrade.
Please also note that, at this time, OSU Web Hosting does not support access from non-OSU accounts; however, access for other InCommon members is planned for the future.
Additional Resources
Need More Information?
Is OSU Web Hosting right for you? Check your eligibility.
More questions? Check the support section or contact us.
Ready to get started? Request hosting now!