Versions Compared

Old Version 3

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 4

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rule

Apache Version
Restrictions

Details
shibboleth

This is a special "dummy" rule that allows a Require command to be inserted to satisfy Apache's requirements when using the AuthType command. It takes no parameters and has no effect other than to ensure that the module sees and processes requests. It does not restrict access based on whether a user is logged in, and is therefore commonly used with the lazy session feature.

shib-session2.4 and Later OR ShibCompatWith24A rule that requires an authenticated session, but nothing else. No information of any kind about the user is required in order to satisfy this rule and it should never be used in the absence of additional application logic to perform authorization. This is equivalent to when to require valid-user when ShibCompatValidUser is Off
shib-user 2.4 and Later OR ShibCompatWith24

A rule based on the REMOTE_USER value established for the request. The remaining parameters are the values to compare against. Regular expression and negation modifiers are supported (see below).

group 2.2 and EarlierA rule to check membership of the REMOTE_USER value established for the request against a group membership file designated with the AuthGroupFile command. The remaining parameters are the names of groups to check membership against.
Starting with Apache 2.4, support for this option is left up to other "out of the box" Apache module support for group-based rules, rather than reimplemented by the SP
authnContextClassRef
A rule based on the SAML authentication context class or method asserted by the IdP. The remaining parameters are the values to compare against.
authnContextDeclRef
A rule based on the SAML authentication context declaration asserted by the IdP. The remaining parameters are the values to compare against.
shib-plugin2.4 and Later OR ShibCompatWith24Enables the use of XML Access Control rules for access control. The single parameter is the path to an access control configuration file. The plug-in is loaded on every request, which allows on-the-fly changes of access control rules (though is less efficient if large rulesets are used). This is equivalent to the older ShibAccessControl option and can be enabled for use with older Apache versions using the ShibCompatWith24 option.
shib-attr2.4 and Later OR ShibCompatWith24

The Apache 2.4 authorization API does not allow for "extensible" rule types within a single module, so to accomodate rules based on attributes, a new rule type is used. The first parameter to the rule specifies the attribute ID to check, and the rest of the parameters are used as values to check for. This rule type can be enabled for use with older Apache versions using the ShibCompatWith24 option. Note that for literal comparisons, the case sensitivity of the match is dependent on the caseSensitive property applied when the attribute is decoded

...