Versions Compared

Old Version 44

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are a handful of global options that apply to the module's overall configuration and are usually left out in favor of the values generated at compile time. They also correspond to a number of environment variables that can be used in place of commands. They are generally needed only when the software is run out of a different directory from the build path.

ShibPrefix

Corresponds to SHIBSP_PREFIX variable.

ShibConfig

Corresponds to SHIBSP_CONFIG variable.

ShibCatalogs

Corresponds to SHIBSP_SCHEMAS variable.

Server / VirtualHost Options

An option is available for use on Apache 1.3 and early versions of 2.0 that don't support scheme virtualization (running a non-SSL virtual host behind an SSL load balancer or concentrator).

ShibURLScheme

Controls the URL scheme Apache will report to modules, should reflect the logical value seen by clients from outside your network.

Version 2.5.2 and Above

ShibCompatValidUser On|Off

Default is Off, matching

older behavior

the behavior prior to this command's existence. Addresses a conflict when using Shibboleth in conjunction with other auth/auth modules by restoring "standard" Apache behavior when processing the "valid-user" and "user" Require rules. See the NativeSPhtaccess topic for more detail.

AuthConfig Options

The rest of the options supported by the module are what Apache calls "AuthConfig" options. This means they are meant to appear inside Apache content-control sections like <Directory>, <File>, or <Location>, or in .htaccess files (if the "AuthConfig" override is enabled).

...

Warning

With SP V2.4.0, in order to use the ShibAccessControl command, you MUST explicitly set ShibRequireAll On. Otherwise, the access policy you set will have no effect because whatever Require rule you use will take over anyway, usually granting access. This was fixed in 2.4.1 and later releases.

With Apache 2.4+ the ShibAccessControl command is not supported anymore. Instead use require shib-plugin path as is described on NativeSPhtaccess.

Version 2.4.3 and Above

  • ShibExpireRedirects On|Off
    • Defaults to "On". Addresses issues with some browsers, notably Firefox 5+, that cause redirects generated by the SP to be cached, resulting in various errors following the login process. This usually manifests as a message replay error at the IdP, caused by the original redirect to the IdP being replayed. This option is enabled by default, but the older behavior can be restored, causing the cache-related headers on redirects to be governed by standard Apache settings.

...

  • ShibRequestMapperAuthz On|Off
    • Defaults to "On". Controls whether or not access control plugins attached using the <RequestMapper> in shibboleth2.xml are supported or not. Because this is less efficient to support in Apache 2.4, this option is provided to increase decrease request processing time in the event that such plugins are not in use. Disabling this does not prevent other features of the <RequestMapper> from being supported.

...

Code Block
titleExclude a directory from authentication
<Location /public>
 AuthType Shibboleth
 ShibRequestSetting requireSession false
 Require Shibbolethshibboleth
 </Location>

Another common trick is to enable the module across an entire server or at least virtual host, but leave specific rules for authentication and access to commands in other places. This introduces a bit of inefficiency, but does simplify the rest of your configuration:

...