Skip to content

Protecting web pages with SSO

Aim: This article describes how to restrict access to a web page.

Target audience: Anyone who creates a web page on a Nikhef system that should not be publicly accessible.

Introduction

Web pages that contain confidential or privacy-sensitive content must be protected, and must be accessible only for those that need access to the information. The most convenient way to restricting access, e.g. to only Nikhef internal users, is to use the single-sign-on (SSO) system of Nikhef on your own pages. When you enable SSO on your web pages, Nikhef users can login using their usual username and password, without you as the web page owner having to manage credentials.

Instructions

Enabling SSO on your web directory

SSO can be enabled through the ".htaccess" mechanism: adding a file called .htaccess to the directory you need to protect. It will apply to this directory and all subordinate directories. So if you put it in $HOME/public_html/private/.htaccess, it will protect https://www.nikhef.nl/~_youruid_/private/ and everything below that.

Add the following to this .htaccess file to grant access to Nikhef users:

AuthType shibboleth
ShibCompatWith24 On
ShibRedirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-attr Shib-affiliation member
to allow Nikhef users (all of them that are active) access to the information.

To grant access only to specific users, in this case only davidg and a03:

AuthType shibboleth
ShibCompatWith24 On
ShibRedirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-user davidg@nikhef.nl a03@nikhef.nl
The Require directive can be chosen according to need, as long as at least one Require shib-_xxxxxx_ is present (try it by making a deliberate change that should deny you access). Some examples (use one lines at a time unless you know what you're doing):

Require shib-attr Shib-orgUnitDN "cn=ATLAS,ou=OrganicUnits,dc=farmnet,dc=nikhef,dc=nl"   # any user in the ATLAS group is allowed in
Require shib-attr Shib-affiliation employee                                              # employees are allowed in
Require shib-attr Shib-entitlement urn:mace:dir:entitlement:common-lib-terms             # anyone that could access a journal to which Nikhef subscribes is in
Require shib-attr Shib-commonName "David Groep"                                          # anyone named "David Groep" is allowed in
and so on. "Employee" includes everyone with a contract in the Nikhef collaboration (PhD candidate, university staff, facilities, secretariat) but not contractors or master students. If you have multiple Require directives, they are ORed together, so you get the union of them all (if any of them succeed, access is granted). So some directives cannot be meaningfully combined (for example, Require authnContextClassRef <https://refeds.org/profile/mfa> to require strong authentication makes no sense).

  • For a complete list of possible directives, see the Shibboleth documentation.