Versions Compared

Old Version 16

changes.mady.by.user Hong Ye

Saved on

compared with

New Version 17

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleUpdate Access Control shib.conf

Open /etc/httpd/conf.d/shib.conf in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.

Code Block
titleRequire authentication for entire site
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
Code Block
titleExample: Authorization by group/permit
<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr groups myGroup1 myGroup2
</Location>
Code Block
titleRequire TwoFactor for everyone
<Location /superSecret>
  AuthType shibboleth
  ShibRequestSetting authnContextClassRef http://cornell.edu/mfa
  ShibRequestSetting requireSession 1
  Require shib-attr groups mySecureGroup
</Location>
Code Block
titleAuthorization by affiliation
<Location /studentOnly>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr eduPersonPrimaryAffiliation student
</Location>

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr eduPersonAffiliations staff
</Location>

eduPersonAffiliations is multi-values attribute. For example, user can be staff and alum. All the possible value of affiliations can be found at https://confluence.cornell.edu/display/IDM/edupersonprimaryaffiliation+and+edupersonaffiliation+details

 

 

Register Service Provider with Cornell IDP

...