Libraries and kiosks at institutions often need to provide some degree of access to resources to anyone who is using that machine. To enable this with Shibboleth, this means some identity and attributes need to be associated with the user based solely on the user's presence at that computer. The mod_auth_location Apache module, developed by Jim Fox at the University of Washington, provides authentication where users accessing resources from a configured IP range(s) will not be prompted to login while users outside of the IP range(s) will be.
The authentication is performed on a providerId
basis, allowing users within that IP address range to access some materials as the kiosk user and optionally access other services as themselves. Please beware that many applications are known to use implicit authorization (authorizing a user just because they're authenticated). Any such applications behind the providerId
will be accessible to the guest user. Properly performing authorization checks will address this issue.
mod_auth_location
:
configure --with-apxs=/path/to/apxs
make
make install
LoadModule auth_location_module modules/mod_auth_location.so
to your httpd.conf
file.httpd.conf <Location>
block protecting your IdP SSO endpoint, add the following directives:
AuthLocationDefineLocation LOCATION IP_LIST
AuthLocationDefineApplication APPLICATION SP_MATCH QS
key=value
' in the HTTP request's query string, where key is the literal string 'providerId' and value is the providerId
of the SP for which IP-based authentication should be used. Example: 'providerId=https://idp.example.org
'mod_auth_location
to check the query string for this information, and should always be used for Shibboleth purposes.AuthLocationRequireAnonymous APPLICATION LOCATION GUEST_USER
AuthLocationDefineApplication
directiveAuthLocationDefineLocation
directiveAdditional documentation on the mod_auth_location
directives may be found on Jim Fox's documentation page.