Skip to Content

Securing Locations with Apache and mod_shib

Last modified by Jukka Karvonen on 2025/01/29 10:22

Configuring Apache

Read more from: https://wiki.shibboleth.net/confluence/display/SP3/Apache

When using Apache, Shibboleth user and session information is available in the environmental variables. There is also ShibUseHeaders parameter, but it has some security considerations and should not be used.

Apache configuration must have "SSLOptions +StdEnvVars" to make environmental variables available to SSL using service.

ProxyPass

If you use Apache only as front server and proxy connections to nodejs or similar process, you can only pass parameters as headers. Instead of using ShibUseHeaders, specify each passed on header separately.

# Remove possible heade from the browser.
RequestHeader unset <attribute>
# Write new header from the environmental variable, if environmental variable exists.
RequestHeader set <attribute> %{<attribute>}e env=<attribute>

Example rules to limit access

Apache htaccess-rules can be used to limit user access. More specific example scan be found from https://wiki.shibboleth.net/confluence/display/SP3/htaccess

Allow only logged in user

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require valid-user
</Location>

Do not require logged in user but release attributes if user is logged in

<Location /public>
  AuthType shibboleth
  ShibRequestSetting requireSession false
  Require shibboleth
</Location>

Remove login requirement from API

When using API endpoints, calls from the front end should not require logged in user, because Shibboleth process tries to redirect them to Shibboleth IdP. Either use the previous example to release attributes to API or remove login requirement from the API and use separate access tokens.

<Location /api>
  Order Allow,Deny
  Allow from all
  Satisfy any
</Location>

Admin page requiring specific address in addition to logged in user

<Location /admin>
  AuthType shibboleth
  ShibRequest
  Setting requireSession 1
  Require valid-user
  Order Allow,Deny
  Allow from admin.helsinki.fi
Satisfy all
</Location>

Only allow for employees

Assumes that eduPersonAffiliation attribute is released to the service and it is mapped as "affiliation" in attribute map.

<Location /admin>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require shib-attr affiliation employee
</Location>