Protecting web pages with SSO
Aim: This article describes how to restrict access to a web page.
Target audience: Anyone who creates a web page on a Nikhef system that should not be publicly accessible.
Web pages that contain confidential or privacy-sensitive content must be protected, and must be accessible only for those that need access to the information. The most convenient way to restricting access, e.g. to only Nikhef internal users, is to use the single-sign-on (SSO) system of Nikhef on your own pages. When you enable SSO on your web pages, Nikhef users can login using their usual username and password, without you as the web page owner having to manage credentials.
Enabling SSO on your web directory
SSO can be enabled through the "
.htaccess" mechanism: adding a file called
.htaccess to the directory you need to protect. It will apply to this directory and all subordinate directories. So if you put it in
$HOME/public_html/private/.htaccess, it will protect
https://www.nikhef.nl/~_youruid_/private/ and everything below that.
Add the following to this
.htaccess file to grant access to Nikhef users:
AuthType shibboleth ShibCompatWith24 On ShibRedirectToSSL 443 ShibRequestSetting requireSession 1 Require shib-attr Shib-affiliation member
To grant access only to specific users, in this case only
AuthType shibboleth ShibCompatWith24 On ShibRedirectToSSL 443 ShibRequestSetting requireSession 1 Require shib-user firstname.lastname@example.org email@example.com
Requiredirective can be chosen according to need, as long as at least one
Require shib-_xxxxxx_is present (try it by making a deliberate change that should deny you access). Some examples (use one lines at a time unless you know what you're doing):
Require shib-attr Shib-orgUnitDN "cn=ATLAS,ou=OrganicUnits,dc=farmnet,dc=nikhef,dc=nl" # any user in the ATLAS group is allowed in Require shib-attr Shib-affiliation employee # employees are allowed in Require shib-attr Shib-entitlement urn:mace:dir:entitlement:common-lib-terms # anyone that could access a journal to which Nikhef subscribes is in Require shib-attr Shib-commonName "David Groep" # anyone named "David Groep" is allowed in
Require authnContextClassRef <https://refeds.org/profile/mfa>to require strong authentication makes no sense).
- For a complete list of possible directives, see the Shibboleth documentation.