Protecting web pages with SSO

From CT Wiki
Jump to: navigation, search

Web pages that contain confidential or privacy-sensitive content must be protected, and must be accessible only for those that need access to the information. The most convenient way to restricting access, e.g. to only Nikhef internal users, is to use the single-signon (SSO) system of Nikhef on your own pages. When you enable SSO on your web pages, Nikhef users can login using their usual username and password - without you as the web page owner having to manage credentials.

Enabling SSO on your web directory

SSO can be enabled through the ".htaccess" mechanism: adding a file called ".htaccess" to the directory you need to protect. It will apply to this directory and all subordinate directories. So if you put it in $HOME/public_html/private/.htaccess, it will protect https://www.nikhef.nl/~youruid/private/ and everything below that.

Add the following to this .htaccess file to grant access to Nikhef users:

AuthType shibboleth
ShibCompatWith24 On
ShibRedirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-attr Shib-affiliation member

to allow Nikhef users (all of them that are active) access to the information.

To grant access only to specific users, in this case only 'davidg' and 'a03':

AuthType shibboleth
ShibCompatWith24 On
ShibRedirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-user davidg@nikhef.nl a03@nikhef.nl

The 'Require' directive can be chosen according to need, as long as at least one Require shib-xxxxxx is present (try it by making a deliberate change that should deny you access). Some examples (use one lines at a time unless you know what you're doing):

Require shib-attr Shib-orgUnitDN "cn=ATLAS,ou=OrganicUnits,dc=farmnet,dc=nikhef,dc=nl"   # any user in the ATLAS group is allowed in
Require shib-attr Shib-affiliation employee                                              # employees are allowed in
Require shib-attr Shib-entitlement urn:mace:dir:entitlement:common-lib-terms             # anyone that could access a journal to which Nikhef subscribes is in
Require shib-attr Shib-commonName "David Groep"                                          # anyone named "David Groep" is allowed in 

and so on. "Employee" includes everyone with a contract in the Nikhef collaboration (AIOs, OIOs, university staff, facilities, secretariat) but not contractors or master students. If you have multiple Require directives, they are ORed together, so you get the union of them all (if any of them succeed, access is granted). So some directives cannot be meaningfully combined ("Require authnContextClassRef https://refeds.org/profile/mfa" to require strong authentication makes no sense).

For a complete list of possible directives, see the Shibboleth documentation.

Views
Personal tools