Access Control Via the Web Trust Centre with Shibboleth
Authentication
If you want to request authentication via the Web-Trust-Center of the TU Chemnitz (WTC) write in the .htaccess
file:
AuthType shibboleth
ShibRequestSetting requireSession 1
If only a single file is to be protected, this code block can be placed, for example, in a <Files>
block.
Authentication is enforced only if a statement for authorisation follows.
Authorisation
Require user …
user
– single users, separated by spaces
- User ID for members of the TU Chemnitz
- User identifier@domain for external identities, e. g.
login@tu-dresden.de
orlog@hs-mittweida.de
(currently only possible for www.tu-chemnitz.de) - The
Require shib-session
is also valid (formerly:valid-user
). However, it should be noted that this approves all users authenticated by the Web Trust Centre, including users from other identity providers (e. g. of other universities).
Require shib-attr affiliation …
affiliation
– Affiliation with @Domain
: Defined are e. g.:
Mitarbeiter@tu-chemnitz.de
– Employees of the TU Chemnitz (with employment contract) without An-Institutes etc.Student@tu-chemnitz.de
– Enrolled students of the TU Chemnitzmember@tu-chemnitz.de
– Staff members and registered students of the TU ChemnitzExtern@tu-chemnitz.de
– All other authenticatable persons (An-Institutes, Externals)
- e. g.
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require shib-attr unscoped-affiliation …
unscoped-affiliation
– Affiliation without @Domain
: Mitarbeiter, Student, member, Extern, alum
- e. g.
shib-attr unscoped-affiliation Student
– Students of any academy
Require shib-attr orgUnitNumber …
orgUnitNumber
– Structure number of the TU Chemnitz
- e. g.
Require shib-attr orgUnitNumber 134200
Require shib-attr idmgroup …
idmgroup
– TU members with a valid User ID who belong to an IdM group with the target system „LDAP for URZ services“. Separate several groups with spaces = OR link.
- e. g.
Require shib-attr idmgroup urz:phil_mitarbeiter
– Employees of the Faculty of Philosophy - e. g.
Require shib-attr idmgroup urz:wiwi_studenten urz:wiwi_mitarbeiter
– Both students and staff of the Faculty of Business and Economics - Defined groups:
urz:nawi_studenten urz:nawi_mitarbeiter | Students or staff of the Faculty of Natural Sciences |
urz:chemie_studenten urz:chemie_mitarbeiter | Students or staff of the Institute of Chemistry |
urz:physik_studenten urz:physik_mitarbeiter | Students or staff of the Institute of Physics |
urz:etit_studenten urz:etit_mitarbeiter | Students or staff of the Faculty of Electrical Engineering and Information Technology |
urz:hsw_studenten urz:hsw_mitarbeiter | Students or staff of the Faculty of Humanities |
urz:informatik_studenten urz:informatik_mitarbeiter | Students or staff of the Faculty of Computer Science |
urz:maschinenbau_studenten urz:maschinenbau_mitarbeiter | Students or staff of the Faculty of Mechanical Engineering |
urz:mathematik_studenten urz:mathematik_mitarbeiter | Students or staff of the Faculty of Mathematics |
urz:phil_studenten urz:phil_mitarbeiter | Students or staff of the Faculty of Behavioural and Social Science |
urz:wiwi_studenten urz:wiwi_mitarbeiter | Students or staff of the Faculty of Economics and Business Administration |
urz:zlb_studenten urz:zlb_mitarbeiter | Students or staff of the Centre for Teacher Education |
urz:dezernate_mitarbeiter | Staff of the Central University Administration |
urz:ub_mitarbeiter | Staff of the University Library |
urz:mitarbeiter | Staff of the University Computer Centre (URZ) |
Regular expressions (as in Perl) are possible:
- e. g. everyone who has a valid login at the TU Chemnitz:
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
- e. g. everone who is students somewhere in .de:
Require shib-attr affiliation ~ ^Student@.+\.de$
With several Require
specifications, combinations are possible:
- Usually one of the specified conditions must be complied with (OR link).
- If you want all conditions to be complied with
(AND operation), use the following
<RequireAll>
, see example.
.htaccess
looks like:
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require shib-attr orgUnitNumber ~ 134[0-9]{3}
</RequireAll>
Result: .../dir22/
Own Authorisation
If you want to handle user authentication via the Web Trust Centre but control access yourself (e.g. for web applications that store permissions in a database, or if the authorisation mechanisms listed above are not sufficient), you can as well program the authorisation yourself. .htaccess
file:
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
To do this, one must create a login page that performs the authorisation. This page is addressed via: <a href="/Shibboleth.sso/Login?target=https://www.tu-chemnitz.de/path/to/login_page.html">…
The following example illustrates this: .../dir23/index.html may be viewed by everyone. When you click on Login, you have to authenticate yourself via the Web Trust Centre, access is then controlled by the PHP script – How it's programmed.
Attributes
After a successful authentication at the Web Trust Center and „passed“ authorisation, the WTC provides the WWW server with some attributes of the logged-in person. These attributes are environment variables that the web author can use, e. g. in CGI programs or PHP scripts:
Attribute | Environment variable | .htaccess after Require | Example |
---|---|---|---|
User ID | REMOTE_USER | user | alf with an external identity provider, the domain is attached: alf@htwm.de |
Affiliation | HTTP_SHIB_EP_AFFILIATION | affiliation | Mitarbeiter@tu-chemnitz.de |
Affiliation (without scope) | HTTP_SHIB_EP_UNSCOPEDAFFILIATION | unscoped-affiliation | Student |
First name Name | HTTP_SHIB_PERSON_COMMONNAME | (not available) | Alfons Bitmeister |
Surname | HTTP_SHIB_PERSON_SURNAME | (not available) | Bitmeister |
First name | HTTP_SHIB_INETORGPERSON_GIVENNAME | (not available) | Alfons |
Structural unit | HTTP_SHIB_ORGPERSON_ORGUNIT | (not available) | Central facilities of the university multiple separated by ; Hierarchy separated by | |
Structure number | HTTP_SHIB_ORGPERSON_ORGUNITNUMBER | orgUnitNumber | 024400 several separated by ; |
E-mail address | HTTP_SHIB_ORGPERSON_EMAILADDRESS | (not available) | alf.bitmeister@hrz.tu-chemnitz.de |
.htaccess
looks:
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de Student@tu-chemnitz.de
In .../dir24/index.php some attributes of the authenticated person are displayed – How it's programmed.
How to do ...?
- Only users with a login at the TU Chemnitz (students, employees, external users):
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
- External queries with login via Web Trust Center, internal without:
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
Require host tu-chemnitz.de
- Access only from computers inside the TU Chemnitz with login via Web Trust Center, only employees:
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require host tu-chemnitz.de
</RequireAll>
- Access for staff, with some exceptions :
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
<RequireNone>
Require user login1 login2
</RequireNone>
</RequireAll>
- Unprotect a subfolder of a protected folder without authentication:
AuthType None
ShibRequestSetting requireSession 0
Require all granted