Using Shibboleth

If you are hosting your website on servers www2/wbdptwb, web/ireswb, or apps, you have the option of using Shibboleth to protect your pages. (people.ku.edu does NOT support Shibboleth.) This will require a user to authenticate with their KU Online ID and password before viewing the page. The catch is users outside of KU will have no way to access your content.

You can restrict access even further, down to specific users, specific department(s) and many, many other criteria. A complete list of attributes available via Shibboleth are available on the kuPerson spec sheet, and a list of how those attributes are accessed can be viewed here: Shibboleth Attribute Mapping. If you want to restrict access to anything beyond all KU users, complete the Shibboleth Attribute Request Form for the attributes you need, or email webservices@ku.edu with questions.

More info, including "What is Shibboleth?" can be found at About Shibboleth

Support can be found in the KU Web Developers - Shibboleth thread

Topics:


Protecting a Directory and All Directories and Files In It

Protecting your pages via Shibboleth is as easy as dropping a file named .htaccess in the directory you wish to protect. Users will then be prompted to authenticate before accessing the content.

To protect all pages within a directory and all files/directories within it, place this code in a file named .htaccess:

AuthType Shibboleth
ShibRequireSession On
require valid-user
ShibRedirectToSSL 443

Protecting Specific Files

If you only need to protect a single file, place this code in .htaccess and replace myfile.shtml with the filename you wish to protect:

<Files myfile.shtml>
   AuthType Shibboleth
   ShibRequireSession On
   require valid-user
   ShibRedirectToSSL 443
</Files>

You may utilize Apache directives to determine which files/directories to protect.

To protect multiple files, duplicate the single-file protection and change the filename. For example in the above code, duplicate it and change myfile.shtml to myfile2.shtml.

Restrict Access to Specific Users

If you need to explicitly define a list of users who need to access pages, you may use the following code in an .htaccess file. You may add as many users as you want with a space between each user:

AuthType Shibboleth
ShibRequireSession On
require user joesmith@ku.edu billybob@ku.edu
ShibRedirectToSSL 443

The above code would restrict access to 'joesmith@ku.edu' or 'billybob@ku.edu'. All other users will be denied access.

Note: Restricting access to specific users using the above code will only work if Shibboleth has not been configured to return custom attributes for that account. You may need to request the attribute corresponding to use .htaccess attribute `user` found in the attribute list.

Restrict Access by Affiliation

To restrict access of a directory to a specific group of users, such as faculty or staff, use the following code in an .htaccess file. You may add as many groups as you want with a space between each group. The user is only required to meet one of the criteria to view the page:

AuthType Shibboleth
ShibRequireSession On
require affiliation staff@ku.edu faculty@ku.edu
ShibRedirectToSSL 443

The above code would restrict access to faculty or staff. All other users will be denied access.

Overriding Shibboleth Protection in Sub-directories

You can override the AuthConfig directive by using the following code in an .htaccess file within the directory you wish to remove protection. This will disable Shibboleth for that directory and all directories below it:

Satisfy Any

Protecting Using Multiple Criteria

Sometimes you may need to authenticate against multiple criteria, such as Faculty within a certain Department. You should add the line ShibRequireAll On to require all listed criteria. The below code would require the user be both a member of the Department 1542000 and a Faculty.

AuthType Shibboleth
ShibRequireSession On
ShibRequireAll On
require affiliation faculty@ku.edu
require deptNum 1542000
ShibRedirectToSSL 443

The University of Kansas prohibits discrimination on the basis of race, color, ethnicity, religion, sex, national origin, age, ancestry, disability, status as a veteran, sexual orientation, marital status, parental status, gender identity, gender expression and genetic information in the University’s programs and activities. The following person has been designated to handle inquiries regarding the non-discrimination policies: Director of the Office of Institutional Opportunity and Access, IOA@ku.edu, 1246 W. Campus Road, Room 153A, Lawrence, KS, 66045, (785)864-6414, 711 TTY.