Protecting web pages with SSO

From CT Wiki
(Difference between revisions)
Jump to: navigation, search
(Created page with "Web pages that contain confidential or privacy-sensitive content must be protected, and must be accessible only for those that need access to the information. The most conveni...")
 
(Enabling SSO on your web directory)
 
(10 intermediate revisions by one user not shown)
Line 4: Line 4:
 
= Enabling SSO on your web directory =
 
= Enabling SSO on your web directory =
  
SSO can be enabled through the ".htaccess" mechanism: adding a file called "<tt>.htaccess</tt>" to the directory you need to protect. It will apply to this directory and all subordinate directories.
+
SSO can be enabled through the ".htaccess" mechanism: adding a file called "<tt>.htaccess</tt>" to the directory you need to protect. It will apply to this directory and all subordinate directories. So if you put it in <tt>$HOME/public_html/private/.htaccess</tt>, it will protect <tt>https<nowiki/>://www.nikhef.nl/~''youruid''/private/</tt> and everything below that.
  
Add the following to this <tt>.htaccess</tt> file:
+
Add the following to this <tt>.htaccess</tt> file to grant access to Nikhef users:
  
 
  AuthType shibboleth
 
  AuthType shibboleth
Line 12: Line 12:
 
  ShibRedirectToSSL 443
 
  ShibRedirectToSSL 443
 
  ShibRequestSetting requireSession 1
 
  ShibRequestSetting requireSession 1
  Require shib-session
+
  Require shib-attr Shib-affiliation member
Require valid-user
+
  
 
to allow Nikhef users (all of them that are active) access to the information.
 
to allow Nikhef users (all of them that are active) access to the information.
 +
 +
To grant access only to specific users, in this case only 'davidg' and 'a03':
 +
 +
AuthType shibboleth
 +
ShibCompatWith24 On
 +
ShibRedirectToSSL 443
 +
ShibRequestSetting requireSession 1
 +
Require shib-user davidg@nikhef.nl a03@nikhef.nl
 +
 +
The 'Require' directive can be chosen according to need, '''as long as at least one <tt>Require shib-''xxxxxx''</tt> is present''' (try it by making a deliberate change that should deny you access). Some examples (use one lines at a time unless you know what you're doing):
 +
 +
Require shib-attr Shib-orgUnitDN "cn=ATLAS,ou=OrganicUnits,dc=farmnet,dc=nikhef,dc=nl"  # any user in the ATLAS group is allowed in
 +
Require shib-attr Shib-affiliation employee                                              # employees are allowed in
 +
Require shib-attr Shib-entitlement urn:mace:dir:entitlement:common-lib-terms            # anyone that could access a journal to which Nikhef subscribes is in
 +
Require shib-attr Shib-commonName "David Groep"                                          # anyone named "David Groep" is allowed in
 +
 +
and so on. "Employee" includes everyone with a contract in the Nikhef collaboration (AIOs, OIOs, university staff, facilities, secretariat) but not contractors or master students.
 +
If you have '''multiple Require directives''', they are '''ORed''' together, so you get the union of them all (if any of them succeed, access is granted). So some directives cannot be meaningfully combined ("<tt>Require authnContextClassRef https://refeds.org/profile/mfa</tt>" to require strong authentication makes no sense).
 +
 +
For a complete list of possible directives, see the [https://wiki.shibboleth.net/confluence/display/SP3/htaccess Shibboleth] documentation.

Latest revision as of 17:00, 5 November 2019

Web pages that contain confidential or privacy-sensitive content must be protected, and must be accessible only for those that need access to the information. The most convenient way to restricting access, e.g. to only Nikhef internal users, is to use the single-signon (SSO) system of Nikhef on your own pages. When you enable SSO on your web pages, Nikhef users can login using their usual username and password - without you as the web page owner having to manage credentials.

[edit] Enabling SSO on your web directory

SSO can be enabled through the ".htaccess" mechanism: adding a file called ".htaccess" to the directory you need to protect. It will apply to this directory and all subordinate directories. So if you put it in $HOME/public_html/private/.htaccess, it will protect https://www.nikhef.nl/~youruid/private/ and everything below that.

Add the following to this .htaccess file to grant access to Nikhef users:

AuthType shibboleth
ShibCompatWith24 On
ShibRedirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-attr Shib-affiliation member

to allow Nikhef users (all of them that are active) access to the information.

To grant access only to specific users, in this case only 'davidg' and 'a03':

AuthType shibboleth
ShibCompatWith24 On
ShibRedirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-user davidg@nikhef.nl a03@nikhef.nl

The 'Require' directive can be chosen according to need, as long as at least one Require shib-xxxxxx is present (try it by making a deliberate change that should deny you access). Some examples (use one lines at a time unless you know what you're doing):

Require shib-attr Shib-orgUnitDN "cn=ATLAS,ou=OrganicUnits,dc=farmnet,dc=nikhef,dc=nl"   # any user in the ATLAS group is allowed in
Require shib-attr Shib-affiliation employee                                              # employees are allowed in
Require shib-attr Shib-entitlement urn:mace:dir:entitlement:common-lib-terms             # anyone that could access a journal to which Nikhef subscribes is in
Require shib-attr Shib-commonName "David Groep"                                          # anyone named "David Groep" is allowed in 

and so on. "Employee" includes everyone with a contract in the Nikhef collaboration (AIOs, OIOs, university staff, facilities, secretariat) but not contractors or master students. If you have multiple Require directives, they are ORed together, so you get the union of them all (if any of them succeed, access is granted). So some directives cannot be meaningfully combined ("Require authnContextClassRef https://refeds.org/profile/mfa" to require strong authentication makes no sense).

For a complete list of possible directives, see the Shibboleth documentation.

Views
Personal tools