Apache-based IP User Authentication for the IdP

Libraries and kiosks at institutions often need to provide some degree of access to resources to anyone who is using that machine. To enable this with Shibboleth, this means some identity and attributes need to be associated with the user based solely on the user's presence at that computer. The mod_auth_location Apache module, developed by Jim Fox at the University of Washington, provides authentication where users accessing resources from a configured IP range(s) will not be prompted to login while users outside of the IP range(s) will be.

The authentication is performed on a providerId basis, allowing users within that IP address range to access some materials as the kiosk user and optionally access other services as themselves. Please beware that many applications are known to use implicit authorization (authorizing a user just because they're authenticated). Any such applications behind the providerId will be accessible to the guest user. Properly performing authorization checks will address this issue.

1. Ensure you have a working IdP connected to your normal authentication system.
2. Compile and install mod_auth_location :
   • Download the mod_auth_location source
   • Extract the file contents into a directory
   • cd to the directory
   • Run configure --with-apxs=/path/to/apxs
   • Run make
   • Run make install
   • Load the module when Apache starts by adding LoadModule auth_location_module modules/mod_auth_location.so to your httpd.conf file.
3. Within the httpd.conf <Location> block protecting your IdP SSO endpoint, add the following directives:
   • AuthLocationDefineLocation LOCATION IP_LIST
     • LOCATION is a name given to the IP ranged defined.
     • IP_LIST is a wildcarded IP address range in which users will be considered authenticated (e.g. 128.99.135.1-99, 128.99.135.*)
   • AuthLocationDefineApplication APPLICATION SP_MATCH QS
     • APPLICATION is a name given to the application being protected
     • SP_MATCH should match the pattern 'key=value' in the HTTP request's query string, where key is the literal string 'providerId' and value is the providerId of the SP for which IP-based authentication should be used. Example: 'providerId=https://idp.example.org'
     • QS directs mod_auth_location to check the query string for this information, and should always be used for Shibboleth purposes.
   • AuthLocationRequireAnonymous APPLICATION LOCATION GUEST_USER
     • APPLICATION corresponds to the application defined in the AuthLocationDefineApplication directive
     • LOCATION corresponds to the location defined in the AuthLocationDefineLocation directive
     • GUEST_USER corresponds to the user ID that will be used when IP based authentication is used. This must correspond to a user ID present in the IdP's attribute sources.
4. Configure the IdP to release the attributes appropriate for this service/user combination.
5. Restart Apache.

Additional documentation on the mod_auth_location directives may be found on Jim Fox's documentation page.