...
shib-session
(Shibboleth V2.5.2 and Later) (Apache 2.4 and Later ORShibCompatWith24
)- A rule that requires an authenticated session, but nothing else. No information of any kind about the user is required in order to satisfy this rule and it should never be used in the absence of additional application logic to perform authorization. This is equivalent to
valid-user
in older releases, or whenShibCompatValidUser
isOff
.
- A rule that requires an authenticated session, but nothing else. No information of any kind about the user is required in order to satisfy this rule and it should never be used in the absence of additional application logic to perform authorization. This is equivalent to
valid-user
(Deprecated)- Prior to V2.5.2, and when
ShibCompatValidUser
isOff
(the default), this is equivalent to theshib-session
rule above. When the new compatibilityShibCompatValidUser
option is enabled, this rule is implemented compatibly with the rule implemented by Apache itself and requires a non-null REMOTE_USER value be set for the request. This restores the ability to deploy Shibboleth along with other modules and rules. A future version of the SP may remove the "special" definition and such rules should be changed to rely onshib-session
.
- Prior to V2.5.2, and when
shib-user
(Shibboleth V2.5.2 and Later) (Apache 2.4 and Later ORShibCompatWith24
)- A rule based on the REMOTE_USER value established for the request. The remaining parameters are the values to compare against. Regular expression and negation modifiers are supported (see below).
user
(Use of ~/! Modifiers Deprecated)- Prior to V2.5.2, and when
ShibCompatValidUser
isOff
(the default), this is equivalent to theshib-user
rule above. When the new compatibility theShibCompatValidUser
option is enabled, this rule is implemented compatibly with the rule implemented by Apache itself and does only standard string matching against REMOTE_USER. This restores the ability to deploy Shibboleth along with other modules and rules. A future version of the SP may remove the "special" definition that supports modifiers and such rules should be changed to rely onshib-user
.
- Prior to V2.5.2, and when
...
|
|
|
---|---|---|
| Access Denied | Decision Left to Other Modules |
| Ignored | Ignored |
Recommended Practices for Compatibility
The following are suggested steps to take to avoid work in the future:
- Upgrade to V2.5.2 or later of the SP.
- Prior to Apache 2.4, turn on
ShibCompatWith24
to enable the newer versions of various rules. Make sure you have no existing rules by those names referring to custom attributes. - Avoid Shibboleth-style use of the
valid-user
anduser
rules, and replace them withshib-session
andshib-user
respectively (if needed). Of course, if all you need is the existing Apache semantics, feel free to use them. On Apache 2.4, turn onShibCompatValidUser
.
The soonest changes would be made to remove deprecated options is in a V3.0 release of the SP, and there are no current plans for that. However the various combinations and issues are quite complex due to the software's age, so avoiding all this is the best option.
Examples
Code Block | ||
---|---|---|
| ||
# Direct comparison Require affiliation student@osu.edu student@psu.edu # Using an expression Require affiliation ~ ^student@(osu|psu)\.edu$ |
...