Page History

AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user

<Location /studentOnly>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr eduPersonPrimaryAffiliation student
</Location>

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr eduPersonAffiliations staff
</Location>

*eduPersonPrimaryAffiliation is single value attribute while eduPersonAffiliations is multi-values attribute. 
For example, a staff who also taking courses at Cornell has staff as the value of eduPersonPrimaryAffiliation, has staff and student as the value of eduPersonAffiliations. 
All the possible value of affiliations can be found at https://confluence.cornell.edu/display/IDM/edupersonprimaryaffiliation+and+edupersonaffiliation+details

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr groups myGroup1 myGroup2

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr uid hjy789 jpq2020

Apache 2.4
AuthType shibboleth
ShibRequestSetting authnContextClassRef https://refeds.org/profile/mfa
ShibRequestSetting requireSession 1
<RequireAll>
    Require shib-attr groups mySecureGroupsession
    Require authnContextClassRef "https://refeds.org/profile/mfa"
</RequireAll>

Apache 2.2
Unfortunately Apache 2.2 does not support the <RequireAll> block and interprets multiple Require directives with an implicit 'OR'. 
Shibboleth SP instead provides an equivalent functionality to RequireAll. Note: The ShibRequireAll directive is NOT compatible with Apache 2.4.
AuthType shibboleth
ShibRequestSetting authnContextClassRef https://refeds.org/profile/mfa
ShibRequestSetting requireSession 1
ShibRequireAll on
ShibCompatWith24 on
Require shib-attr groups mySecureGroupsession
Require authnContextClassRef "https://refeds.org/profile/mfa"