Shibboleth in Web Hosting

To use Shibboleth on your site, create a file in the directory to be protected called '.htaccess' and place inside of it the specific configuration that section of your site needs. If this file already exists then you may be able to just append it; however, it may also contain conflicting directives so be cautious, make a reversion backup, etc.

Information on the OSU-specific aspects of our IdP can be found at https://webauth.service.ohio-state.edu/~shibboleth/.

Mandatory SSL

SSL is required to use Shibboleth in OSU Web Hosting.  This is not a technical requirement of Shibboleth as it encrypts and signs session data via its own mechanisms.  It is, however, required to prevent browsers from throwing warnings about POSTing data to an insecure URL. (Which your site is without SSL)

SSL is enabled by default for recent accounts.  If your account does not have it then you will need to request 8help activate it.

Environment vs. Headers

By default Shibboleth puts all of the session information into the Apache environment for your script to use.  This is the safe method as the remote client cannot make changes to the environment; however, sometimes it is necessary to enable the alternate method which places the session information into the request headers.  This alternate is almost never required on OCIO Web Hosting except in cases where the script expects them to be in the headers and you cannot modify its behavior.

Each method is independent and can be enabled simultaineously.  To enable header use, first review the documentation on Shibboleth's spoof checking and then add the following to your .htaccess file:

   ShibUseHeaders On

Environment variables are on by default and there is almost never a good reason to disable them but it can be done via the following in your .htaccess file:

   ShibUseEnvironment Off

Examples

Mandatory authentication – any name.# account will be sufficient:

   AuthType shibboleth
   ShibRequestSetting redirectToSSL 443
   ShibRequestSetting requireSession 1
   Require shib-session

Mandatory authentication – restricted to specific users:

   AuthType shibboleth
   ShibRequestSetting redirectToSSL 443
   ShibRequestSetting requireSession 1
   Require shib-user name.123@osu.edu
   Require shib-user anothername.456@osu.edu

Lazy session – makes existing Shib session data available if it exists but does not mandate it:

   AuthType shibboleth
   Require shibboleth

Mandatory auth – faculty members only:

   AuthType shibboleth
   ShibRequestSetting redirectToSSL 443
   ShibRequestSetting requireSession 1
   Require shib-attr affiliation faculty@osu.edu

Mandatory auth – anyone except students and alumni:

   AuthType shibboleth
   ShibRequestSetting redirectToSSL 443
   ShibRequestSetting requireSession 1
   Require shib-attr affiliation ! ~ ^(student|alumni)@osu\.edu$

Mandatory auth – staff members currently enrolled in a degree program and with an even numbered name.# account:

   AuthType shibboleth
   ShibRequestSetting redirectToSSL 443
   ShibRequestSetting requireSession 1
   ShibRequireAll On
   Require shib-attr affiliation employee@osu.edu
   Require shib-attr affiliation student@osu.edu
   Require shib-user ~ ^[a-z\-]+\.[0-9]*[02468]@osu\.edu$

(This last one isn't actually useful – it's just to show how flexible these rules can be)

A more complete list of instructions can be found at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess. We recommend that you check any existing Shibboleth setups against this instructions page is it lists which existing directives are deprecated in Apache 2.4. While we're currently running 2.2, configuring your website in a 2.4-friendly way now is fully supported and can prevent possible disruptions after a future upgrade.

Please also note that, at this time, OSU Web Hosting does not support access from non-OSU accounts; however, access for other InCommon members is planned for the future.

Additional Resources

 


Need More Information?

Is OSU Web Hosting right for you? Check your eligibility.

More questions? Check the support section or contact us.

Ready to get started? Request hosting now!