Access Control Via the Web Trust Centre with Shibboleth
Authentication
If you want to request authentication via the Web-Trust-Center of the TU Chemnitz (WTC) write in the .htaccess file:
AuthType shibboleth
ShibRequestSetting requireSession 1If only a single file is to be protected, this code block can be placed, for example, in a <Files> block.
Authentication is enforced only if a statement for authorisation follows.
Authorisation
Require user …user – single users, separated by spaces
- User ID for members of the TU Chemnitz
- User identifier@domain for external identities, e. g.
login@tu-dresden.deorlog@hs-mittweida.de(currently only possible for www.tu-chemnitz.de) - The
Require shib-sessionis also valid (formerly:valid-user). However, it should be noted that this approves all users authenticated by the Web Trust Centre, including users from other identity providers (e. g. of other universities).
Require shib-attr affiliation …affiliation – Affiliation with @Domain: Defined are e. g.:
Mitarbeiter@tu-chemnitz.de– Employees of the TU Chemnitz (with employment contract) without An-Institutes etc.Student@tu-chemnitz.de– Enrolled students of the TU Chemnitzmember@tu-chemnitz.de– Staff members and registered students of the TU ChemnitzExtern@tu-chemnitz.de– All other authenticatable persons (An-Institutes, Externals)
- e. g.
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require shib-attr unscoped-affiliation …unscoped-affiliation – Affiliation without @Domain: Mitarbeiter, Student, member, Extern, alum
- e. g.
shib-attr unscoped-affiliation Student– Students of any academy
Require shib-attr orgUnitNumber …orgUnitNumber – Structure number of the TU Chemnitz
- e. g.
Require shib-attr orgUnitNumber 134200
Require shib-attr idmgroup …idmgroup – TU members with a valid User ID who belong to an IdM group with the target system „LDAP for URZ services“. Separate several groups with spaces = OR link.
- e. g.
Require shib-attr idmgroup urz:phil_mitarbeiter– Employees of the Faculty of Philosophy - e. g.
Require shib-attr idmgroup urz:wiwi_studenten urz:wiwi_mitarbeiter– Both students and staff of the Faculty of Business and Economics - Defined groups:
urz:nawi_studenten urz:nawi_mitarbeiter | Students or staff of the Faculty of Natural Sciences |
urz:chemie_studenten urz:chemie_mitarbeiter | Students or staff of the Institute of Chemistry |
urz:physik_studenten urz:physik_mitarbeiter | Students or staff of the Institute of Physics |
urz:etit_studenten urz:etit_mitarbeiter | Students or staff of the Faculty of Electrical Engineering and Information Technology |
urz:hsw_studenten urz:hsw_mitarbeiter | Students or staff of the Faculty of Humanities |
urz:informatik_studenten urz:informatik_mitarbeiter | Students or staff of the Faculty of Computer Science |
urz:maschinenbau_studenten urz:maschinenbau_mitarbeiter | Students or staff of the Faculty of Mechanical Engineering |
urz:mathematik_studenten urz:mathematik_mitarbeiter | Students or staff of the Faculty of Mathematics |
urz:phil_studenten urz:phil_mitarbeiter | Students or staff of the Faculty of Behavioural and Social Science |
urz:wiwi_studenten urz:wiwi_mitarbeiter | Students or staff of the Faculty of Economics and Business Administration |
urz:zlb_studenten urz:zlb_mitarbeiter | Students or staff of the Centre for Teacher Education |
urz:dezernate_mitarbeiter | Staff of the Central University Administration |
urz:ub_mitarbeiter | Staff of the University Library |
urz:mitarbeiter | Staff of the University Computer Centre (URZ) |
Regular expressions (as in Perl) are possible:
- e. g. everyone who has a valid login at the TU Chemnitz:
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$ - e. g. everone who is students somewhere in .de:
Require shib-attr affiliation ~ ^Student@.+\.de$
With several Require specifications, combinations are possible:
- Usually one of the specified conditions must be complied with (OR link).
- If you want all conditions to be complied with
(AND operation), use the following
<RequireAll>, see example.
.htaccess looks like:
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require shib-attr orgUnitNumber ~ 134[0-9]{3}
</RequireAll>Own Authorisation
If you want to handle user authentication via the Web Trust Centre but control access yourself (e.g. for web applications that store permissions in a database, or if the authorisation mechanisms listed above are not sufficient), you can as well program the authorisation yourself. .htaccess file:
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibbolethTo do this, one must create a login page that performs the authorisation. This page is addressed via: <a href="/Shibboleth.sso/Login?target=https://www.tu-chemnitz.de/path/to/login_page.html">…
The following example illustrates this: .../dir23/index.html may be viewed by everyone. When you click on Login, you have to authenticate yourself via the Web Trust Centre, access is then controlled by the PHP script – How it's programmed.
Attributes
After a successful authentication at the Web Trust Center and „passed“ authorisation, the WTC provides the WWW server with some attributes of the logged-in person. These attributes are environment variables that the web author can use, e. g. in CGI programs or PHP scripts:
| Attribute | Environment variable | .htaccess after Require | Example |
|---|---|---|---|
| User ID | REMOTE_USER | user | alfwith an external identity provider, the domain is attached: alf@htwm.de |
| Affiliation | HTTP_SHIB_EP_AFFILIATION | affiliation | Mitarbeiter@tu-chemnitz.de |
| Affiliation (without scope) | HTTP_SHIB_EP_UNSCOPEDAFFILIATION | unscoped-affiliation | Student |
| First name Name | HTTP_SHIB_PERSON_COMMONNAME | (not available) | Alfons Bitmeister |
| Surname | HTTP_SHIB_PERSON_SURNAME | (not available) | Bitmeister |
| First name | HTTP_SHIB_INETORGPERSON_GIVENNAME | (not available) | Alfons |
| Structural unit | HTTP_SHIB_ORGPERSON_ORGUNIT | (not available) | Central facilities of the university multiple separated by ; Hierarchy separated by | |
| Structure number | HTTP_SHIB_ORGPERSON_ORGUNITNUMBER | orgUnitNumber | 024400several separated by ; |
| E-mail address | HTTP_SHIB_ORGPERSON_EMAILADDRESS | (not available) | alf.bitmeister@hrz.tu-chemnitz.de |
.htaccess looks:
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de Student@tu-chemnitz.deHow to do ...?
- Only users with a login at the TU Chemnitz (students, employees, external users):
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$- External queries with login via Web Trust Center, internal without:
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
Require host tu-chemnitz.de- Access only from computers inside the TU Chemnitz with login via Web Trust Center, only employees:
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require host tu-chemnitz.de
</RequireAll>- Access for staff, with some exceptions :
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
<RequireNone>
Require user login1 login2
</RequireNone>
</RequireAll>- Unprotect a subfolder of a protected folder without authentication:
AuthType None
ShibRequestSetting requireSession 0
Require all granted
