| Warning | ||
|---|---|---|
| ||
You should review this page and the htaccess page thoroughly because Apache 2.4 is much more complicated than earlier versions. In particular, if you're trying to combine Shibboleth with other authentication schemes (like Basic), you may need to enable the |
...
AuthType type | Partially activates the module when type is set to "shibboleth" (or "basic", see | |||||
Require rule operands... | Enables an authorization rule in the module. For complete details, see the sections below on authentication and authorization. Also see http://httpd.apache.org/docs/2.2/mod/core.html#require (or equivalent for your Apache version).
| |||||
ShibRequestSetting setting value | Allows any valid content setting to be set or altered for the applicable request(s). This command takes two parameters, the name of the content setting, and the value to set it to. For boolean/flag options, you can use the exact values "1", "true", and "On" or the exact values "0", "false", and "Off". For complete details, see the section below on content settings | |||||
ShibRequestUnset setting | Allows a content setting to be reverted to its default value at a particular point in the merging process that Apache carries out. There aren't a lot of cases where this has value, but in a few edge cases like requireSessionWith it can be useful. | |||||
ShibDisable On|Off | When enabled, this allows the module to short-circuit and ignore requests much faster than without the option set. This is useful for bypassing processing for high-traffic, public content. | |||||
ShibBasicHijack On|Off | Allows for compatibility with extensive legacy mod_auth configurations by activating the module when AuthType is set to basic | |||||
AuthGroupFile filename | Identifies a mod_auth-style file containing group membership information for simple access control needs. See http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authgroupfile. On Apache 2.4, this command is no longer handled directly by the SP module. | |||||
ShibRequireAll On|Off | Normally,
| |||||
AuthzShibAuthoritative On|Off | As explained in the htaccess topic, this option controls the behavior of the module when it encounters
| |||||
ShibUseEnvironment On|Off | Defaults to "On", this turns on the use of environment variables to publish attributes to applications. This is strongly preferred over the header option. | |||||
ShibUseHeaders On|Off | Defaults to "Off", this turns on the use of request headers to publish attributes to applications. Use of this option should be avoided. Be sure to review the topic on spoof checking if you enable it. | |||||
hibAccessControlShibAccessControl path to an authentication plug-in configuration file | Enables the use of XML Access Control rules for access control. This option can also be used in an .htaccess file. This allows non-root users to set complex access control rules without a restart of the web server. The plug-in is loaded on every request, which allows on-the-fly changes of access control rules (though is less efficient if large rulesets are used).
| |||||
ShibExpireRedirects On|Off | Defaults to "On". Addresses issues with some browsers, notably Firefox 5+, that cause redirects generated by the SP to be cached, resulting in various errors following the login process. This usually manifests as a message replay error at the IdP, caused by the original redirect to the IdP being replayed. This option is enabled by default, but the older behavior can be restored, causing the cache-related headers on redirects to be governed by standard Apache settings. | |||||
ShibCompatWith24 On|Off | This option can be enabled to up-level the syntax requirements for the | |||||
ShibRequestMapperAuthz On|Off | Defaults to "On". Controls whether or not access control plugins attached using the <RequestMapper> in shibboleth2.xml are supported or not. Because this is less efficient to support in Apache 2.4, this option is provided to decrease request processing time in the event that such plugins are not in use. Disabling this does not prevent other features of the <RequestMapper> from being supported |
...
| Note | ||
|---|---|---|
| ||
You MUST supply the |
One of the "quirks" (I would say "bugs") in Apache is that it requires a complicated set of inter-related general commands to be in place in order for an "auth" module to actually "see" a request. Just because you load the module doesn't mean Apache will ever call on it to do any work. This can make things confusing; if you see Apache just serving up content and the SP seems to be ignoring the requests, the lack of these commands in place is is usually the problem.
...