The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
IPIdPAuthN
Apache-based IP User Authentication for the IdP
Libraries and kiosks at institutions often need to provide some degree of access to resources to anyone who is using that machine. To enable this with Shibboleth, this means some identity and attributes need to be associated with the user based solely on the user's presence at that computer. The mod_auth_location Apache module, developed by Jim Fox at the University of Washington, provides authentication where users accessing resources from a configured IP range(s) will not be prompted to login while users outside of the IP range(s) will be.
The authentication is performed on a providerId
basis, allowing users within that IP address range to access some materials as the kiosk user and optionally access other services as themselves. Please beware that many applications are known to use implicit authorization (authorizing a user just because they're authenticated). Any such applications behind the providerId
will be accessible to the guest user. Properly performing authorization checks will address this issue.
- Ensure you have a working IdP connected to your normal authentication system.
- Compile and install
mod_auth_location
:- Download the mod_auth_location source
- Extract the file contents into a directory
- cd to the directory
- Run
configure --with-apxs=/path/to/apxs
- Run
make
- Run
make install
- Load the module when Apache starts by adding
LoadModule auth_location_module modules/mod_auth_location.so
to yourhttpd.conf
file.
- Within the
httpd.conf <Location>
block protecting your IdP SSO endpoint, add the following directives:AuthLocationDefineLocation LOCATION IP_LIST
- LOCATION is a name given to the IP ranged defined.
- IP_LIST is a wildcarded IP address range in which users will be considered authenticated (e.g. 128.99.135.1-99, 128.99.135.*)
AuthLocationDefineApplication APPLICATION SP_MATCH QS
- APPLICATION is a name given to the application being protected
- SP_MATCH should match the pattern '
key=value
' in the HTTP request's query string, where key is the literal string 'providerId' and value is theproviderId
of the SP for which IP-based authentication should be used. Example: 'providerId=https://idp.example.org
' - QS directs
mod_auth_location
to check the query string for this information, and should always be used for Shibboleth purposes.
AuthLocationRequireAnonymous APPLICATION LOCATION GUEST_USER
- APPLICATION corresponds to the application defined in the
AuthLocationDefineApplication
directive - LOCATION corresponds to the location defined in the
AuthLocationDefineLocation
directive - GUEST_USER corresponds to the user ID that will be used when IP based authentication is used. This must correspond to a user ID present in the IdP's attribute sources.
- APPLICATION corresponds to the application defined in the
- Configure the IdP to release the attributes appropriate for this service/user combination.
- Restart Apache.
Additional documentation on the mod_auth_location
directives may be found on Jim Fox's documentation page.