Versions Compared

Old Version 11

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 12

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • shib-session (Shibboleth V2.5.2 and Later) (Apache 2.4 and Later OR ShibCompatWith24)

    • A rule that requires an authenticated session, but nothing else. No information of any kind about the user is required in order to satisfy this rule and it should never be used in the absence of additional application logic to perform authorization. This is equivalent to valid-user in older releases, or when ShibCompatValidUser is Off.
  • valid-user (Deprecated)
    • Prior to V2.5.2, and when ShibCompatValidUser is Off (the default), this is equivalent to the shib-session rule above. When the new compatibility ShibCompatValidUser option is enabled, this rule is implemented compatibly with the rule implemented by Apache itself and requires a non-null REMOTE_USER value be set for the request. This restores the ability to deploy Shibboleth along with other modules and rules. A future version of the SP may remove the "special" definition and such rules should be changed to rely on shib-session.

  • shib-user (Shibboleth V2.5.2 and Later) (Apache 2.4 and Later OR ShibCompatWith24)

    • A rule based on the REMOTE_USER value established for the request. The remaining parameters are the values to compare against. Regular expression and negation modifiers are supported (see below).

  • user (Use of ~/! Modifiers Deprecated)

    • Prior to V2.5.2, and when ShibCompatValidUser is Off (the default), this is equivalent to the shib-user rule above. When the new compatibility the ShibCompatValidUser option is enabled, this rule is implemented compatibly with the rule implemented by Apache itself and does only standard string matching against REMOTE_USER. This restores the ability to deploy Shibboleth along with other modules and rules. A future version of the SP may remove the "special" definition that supports modifiers and such rules should be changed to rely on shib-user.

...

 

AuthzShibAuthoritative On

AuthzShibAuthoritative Off

ShibRequireAll On

Access Denied

Decision Left to Other Modules

ShibRequireAll Off

Ignored

Ignored

Recommended Practices for Compatibility

The following are suggested steps to take to avoid work in the future:

  • Upgrade to V2.5.2 or later of the SP.
  • Prior to Apache 2.4, turn on ShibCompatWith24 to enable the newer versions of various rules. Make sure you have no existing rules by those names referring to custom attributes.
  • Avoid Shibboleth-style use of the valid-user and user rules, and replace them with shib-session and shib-user respectively (if needed). Of course, if all you need is the existing Apache semantics, feel free to use them. On Apache 2.4, turn on ShibCompatValidUser.

The soonest changes would be made to remove deprecated options is in a V3.0 release of the SP, and there are no current plans for that. However the various combinations and issues are quite complex due to the software's age, so avoiding all this is the best option.

Examples

Code Block
titleRequiring students from particular domains
# Direct comparison
Require affiliation student@osu.edu student@psu.edu

# Using an expression
Require affiliation ~ ^student@(osu|psu)\.edu$

...