...
There are a handful of global options that apply to the module's overall configuration and are usually left out in favor of the values generated at compile time. They also correspond to a number of environment variables that can be used in place of commands. They are generally needed only when the software is run out of a different directory from the build path.
| Corresponds to SHIBSP_PREFIX variable. |
| Corresponds to SHIBSP_CONFIG variable. |
| Corresponds to SHIBSP_SCHEMAS variable. |
Server / VirtualHost Options
An option is available for use on Apache 1.3 and early versions of 2.0 that don't support scheme virtualization (running a non-SSL virtual host behind an SSL load balancer or concentrator).
| Controls the URL scheme Apache will report to modules, should reflect the logical value seen by clients from outside your network. |
Version 2.5.2 and Above
| Default is Off, matching |
the behavior prior to this command's existence. Addresses a conflict when using Shibboleth in conjunction with other auth/auth modules by restoring "standard" Apache behavior when processing the "valid-user" and "user" Require rules. See the NativeSPhtaccess topic for more detail. |
AuthConfig Options
The rest of the options supported by the module are what Apache calls "AuthConfig" options. This means they are meant to appear inside Apache content-control sections like <Directory>
, <File>
, or <Location>
, or in .htaccess
files (if the "AuthConfig" override is enabled).
...
Warning |
---|
With SP V2.4.0, in order to use the With Apache 2.4+ the |
Version 2.4.3 and Above
ShibExpireRedirects
On|Off
- Defaults to "On". Addresses issues with some browsers, notably Firefox 5+, that cause redirects generated by the SP to be cached, resulting in various errors following the login process. This usually manifests as a message replay error at the IdP, caused by the original redirect to the IdP being replayed. This option is enabled by default, but the older behavior can be restored, causing the cache-related headers on redirects to be governed by standard Apache settings.
...
ShibRequestMapperAuthz
On|Off
- Defaults to "On". Controls whether or not access control plugins attached using the
<RequestMapper>
in shibboleth2.xml are supported or not. Because this is less efficient to support in Apache 2.4, this option is provided to increase decrease request processing time in the event that such plugins are not in use. Disabling this does not prevent other features of the<RequestMapper>
from being supported.
- Defaults to "On". Controls whether or not access control plugins attached using the
...
Code Block | ||
---|---|---|
| ||
<Location /public> AuthType Shibboleth ShibRequestSetting requireSession false Require Shibbolethshibboleth </Location> |
Another common trick is to enable the module across an entire server or at least virtual host, but leave specific rules for authentication and access to commands in other places. This introduces a bit of inefficiency, but does simplify the rest of your configuration:
...