Date: Fri, 29 Mar 2024 14:37:33 +0000 (UTC) Message-ID: <2096915236.11.1711723053083@22a4d3d0b5e3> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_10_1278094177.1711723053083" ------=_Part_10_1278094177.1711723053083 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
When used with Apache, the SP includes an Access Control plugin =
implemented on top of the Apache Req=
uire
authorization command. The placement rules for this command=
are dictated by Apache, and include its <Directory>
, <Location>
blocks, as well =
as .htaccess
files. By default, any place you can apply the
Make sure that any user will have already established a session, or requ= ire a session for the same path, or any access attempt will result in a 403= .
.htaccess directives are able to override <Directory>
=
blocks, but they cannot override <Location>
blocks. If =
your .htaccess rules appear not to be executing, check for conflicting dire=
ctives in the rest of Apache's configuration.
The general syntax of a Require
rule is:
Require= rule-type value1 value2
Some of the rule types support a regular expression mode:
Require= rule ~ exp1 exp2
The SP supports the following rule "types" (the type is the first parame= ter of the command):
shibboleth
Require
comma=
nd to be inserted to satisfy Apache's requirements when using the Aut=
hType
command. It takes no parameters and has no effect other than t=
o ensure that the module sees and processes requests. It does not restrict =
access based on whether a user is logged in, and is therefore commonly used=
with the lazy session feature.shib-session
(Shibboleth V2.5.2 and Later)=
(Apache 2.4 and Later OR ShibCompatWith24
)=
p>
valid-user in older releases, or when ShibCompatValidUser
is Off
.valid-user
(Deprecated)ShibCompatValidUser
is =
;Off
(the default), this is equivalent to the shib-=
session
rule above. When the ShibCompatValidUser
option=
is enabled, this rule is implemented compatibly with the rule implemented =
by Apache itself and requires a non-null REMOTE_USER value be set for the r=
equest. This restores the ability to deploy Shibboleth along with other mod=
ules and rules. A future version of the SP may remove the "special" definit=
ion and such rules should be changed to rely on shib-session
.<=
/li>
shib-user
(Shibboleth V2.5.2 and Later) (Ap=
ache 2.4 and Later OR ShibCompatWith24
)
<=
/p>
user
(Use of ~/! Modifiers Deprecated)
ShibCompatValidUser
is =
;Off
(the default), this is equivalent to the shib-=
user
rule above. When the ShibCompatValidUser
opti=
on is enabled, this rule is implemented compatibly with the rule implemente=
d by Apache itself and does only standard string matching against REMOTE_US=
ER. This restores the ability to deploy Shibboleth along with other modules=
and rules. A future version of the SP may remove the "special" definition =
that supports modifiers and such rules should be changed to rely on s=
hib-user
.group
(Apache 2.2 and Earlier)AuthGroupFile
command. The remaining parame=
ters are the names of groups to check membership against. Starting with Apa=
che 2.4, support for this option is left up to other "out of the box" Apach=
e module support for group-based rules, rather than reimplemented by the SP=
.authnContextClassRef
authnContextDeclRef
shib-plugin
(Apache 2.4 and Later OR ShibCom=
patWith24
)ShibAccessControl
option and can be enabled for=
use with older Apache versions using the ShibCompatWith24
option.shib-attr
(Apache 2.4 and Later OR ShibCompa=
tWith24
)ShibCompatWith24
option. Note that for literal comp=
arisons, the case sensitivity of the match is dependent on the caseSe=
nsitive
property applied when the attribute is decoded.shib-attr
.A pair of rule modifiers are supported to affect the processing of the r= ule types that accept parameters (all but the first two above). Modifiers a= re placed after the rule type but before any comparison values.
group
r=
ule does not support this modifier.The two modifiers can be combined, so as to enforce a regular expression= that must NOT match. When using both modifiers, be sure t= o separate them with a space (see examples).
As of Apache V2.4, authorization rules are designed to be handled by spe= cific modules that register for them. With this change, the notion of combi= ning rules from different modules is a first-order concept using a feature = called authorization containers. This renders the commands described below obsolete and they are no longe= r supported.
Prior to Apache V2.4. the server functions by allowing access if any rul= e is satisfied. This allows rules recognized by different modules to appear= , since modules can ignore rules they don't understand and simply grant acc= ess on their own, but limits the kinds of combinations possible.
The SP module includes a ShibRequireA=
ll
command that changes this semantic and requires that =
all rules present be satisfied before granting access. This is str=
aightforward as long as all the rules are known to the SP module, but becom=
es complex if other modules are involved.
To control this behavior, the AuthzSh=
ibAuthoritative
command is supplied. The following matrix descri=
bes how the options interact when an unrecogized rule is found:
|
|
|
---|---|---|
|
Access Denied |
Decision Left to Other Modules |
|
Ignored |
Ignored |
The following are suggested steps to take to avoid work in the future:= p>
ShibCompatWith24
to enab=
le the newer versions of various rules. Make sure you have no existing rule=
s by those names referring to custom attributes.valid-user
and =
;user
rules, and replace them with shib-session and shib-user
respectively (if needed). Of course, if=
all you need is the existing Apache semantics, feel free to use them. On A=
pache 2.4, turn on ShibCompatValidUser
.
The soonest changes would be made to remove deprecated options is in a V= 3.0 release of the SP, and there are no current plans for that. However the= various combinations and issues are quite complex due to the software's ag= e, so avoiding all this is the best option.
# Direc= t comparison Require shib-attr affiliation student@osu.edu student@psu.edu # Using an expression Require shib-attr affiliation ~ ^student@(osu|psu)\.edu$
Require= shib-user ! ~ ^.+@(osu|psu)\.edu$