Jump to main content
University Computer Centre
WTC / Shibboleth

Access Control Via the Web Trust Centre with Shibboleth

  1. Authentication
  2. Authorisation
  3. Own authorisation
  4. Attributes
  5. How to do ...?

Authentication

If you want to request authentication via the Web-Trust-Center of the TU Chemnitz (WTC) write in the .htaccess file:

AuthType shibboleth
ShibRequestSetting requireSession 1

If only a single file is to be protected, this code block can be placed, for example, in a <Files> block.

Authentication is enforced only if a statement for authorisation follows.

Authorisation

Require user …

user – single users, separated by spaces

  • User ID for members of the TU Chemnitz
  • User identifier@domain for external identities, e. g. login@tu-dresden.de or log@hs-mittweida.de (currently only possible for www.tu-chemnitz.de)
  • The Require shib-session is also valid (formerly: valid-user). However, it should be noted that this approves all users authenticated by the Web Trust Centre, including users from other identity providers (e. g. of other universities).
Require shib-attr affiliation …

affiliation – Affiliation with @Domain: Defined are e. g.:

  • Mitarbeiter@tu-chemnitz.de – Employees of the TU Chemnitz (with employment contract) without An-Institutes etc.
  • Student@tu-chemnitz.de – Enrolled students of the TU Chemnitz
  • member@tu-chemnitz.de – Staff members and registered students of the TU Chemnitz
  • Extern@tu-chemnitz.de – All other authenticatable persons (An-Institutes, Externals)
  • e. g. Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
Require shib-attr unscoped-affiliation …

unscoped-affiliation – Affiliation without @Domain: Mitarbeiter, Student, member, Extern, alum

  • e. g. shib-attr unscoped-affiliation Student – Students of any academy
Require shib-attr orgUnitNumber …

orgUnitNumber – Structure number of the TU Chemnitz

  • e. g. Require shib-attr orgUnitNumber 134200
Require shib-attr idmgroup …

idmgroup – TU members with a valid User ID who belong to an IdM group with the target system „LDAP for URZ services“. Separate several groups with spaces = OR link.

  • e. g. Require shib-attr idmgroup urz:phil_mitarbeiter – Employees of the Faculty of Philosophy
  • e. g. Require shib-attr idmgroup urz:wiwi_studenten urz:wiwi_mitarbeiter – Both students and staff of the Faculty of Business and Economics
  • Defined groups:
urz:nawi_studenten urz:nawi_mitarbeiterStudents or staff of the Faculty of Natural Sciences
urz:chemie_studenten urz:chemie_mitarbeiterStudents or staff of the Institute of Chemistry
urz:physik_studenten urz:physik_mitarbeiterStudents or staff of the Institute of Physics
urz:etit_studenten urz:etit_mitarbeiterStudents or staff of the Faculty of Electrical Engineering and Information Technology
urz:hsw_studenten urz:hsw_mitarbeiterStudents or staff of the Faculty of Humanities
urz:informatik_studenten urz:informatik_mitarbeiterStudents or staff of the Faculty of Computer Science
urz:maschinenbau_studenten urz:maschinenbau_mitarbeiterStudents or staff of the Faculty of Mechanical Engineering
urz:mathematik_studenten urz:mathematik_mitarbeiterStudents or staff of the Faculty of Mathematics
urz:phil_studenten urz:phil_mitarbeiterStudents or staff of the Faculty of Behavioural and Social Science
urz:wiwi_studenten urz:wiwi_mitarbeiterStudents or staff of the Faculty of Economics and Business Administration
urz:zlb_studenten urz:zlb_mitarbeiterStudents or staff of the Centre for Teacher Education
urz:dezernate_mitarbeiterStaff of the Central University Administration
urz:ub_mitarbeiterStaff of the University Library
urz:mitarbeiterStaff of the University Computer Centre (URZ)

Regular expressions (as in Perl) are possible:

  • e. g. everyone who has a valid login at the TU Chemnitz: Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
  • e. g. everone who is students somewhere in .de: Require shib-attr affiliation ~ ^Student@.+\.de$

With several Require specifications, combinations are possible:

  • Usually one of the specified conditions must be complied with (OR link).
  • If you want all conditions to be complied with (AND operation), use the following <RequireAll>, see example.
Example: Directory dir22 should only be accessible to employees of the TU Chemnitz who work at the URZ. This is what .htaccess looks like:
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
    Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
    Require shib-attr orgUnitNumber ~ 134[0-9]{3}
</RequireAll>
Result: .../dir22/

Own Authorisation

If you want to handle user authentication via the Web Trust Centre but control access yourself (e.g. for web applications that store permissions in a database, or if the authorisation mechanisms listed above are not sufficient), you can as well program the authorisation yourself. .htaccess file:

AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth

To do this, one must create a login page that performs the authorisation. This page is addressed via: <a href="/Shibboleth.sso/Login?target=https://www.tu-chemnitz.de/path/to/login_page.html">…

The following example illustrates this: .../dir23/index.html may be viewed by everyone. When you click on Login, you have to authenticate yourself via the Web Trust Centre, access is then controlled by the PHP script – How it's programmed.

Attributes

After a successful authentication at the Web Trust Center and „passed“ authorisation, the WTC provides the WWW server with some attributes of the logged-in person. These attributes are environment variables that the web author can use, e. g. in CGI programs or PHP scripts:

AttributeEnvironment variable.htaccess after RequireExample
User IDREMOTE_USERuseralf
with an external identity provider, the domain is attached: alf@htwm.de
AffiliationHTTP_SHIB_EP_AFFILIATIONaffiliationMitarbeiter@tu-chemnitz.de
Affiliation (without scope)HTTP_SHIB_EP_UNSCOPEDAFFILIATIONunscoped-affiliationStudent
First name NameHTTP_SHIB_PERSON_COMMONNAME(not available)Alfons Bitmeister
SurnameHTTP_SHIB_PERSON_SURNAME(not available)Bitmeister
First nameHTTP_SHIB_INETORGPERSON_GIVENNAME(not available)Alfons
Structural unitHTTP_SHIB_ORGPERSON_ORGUNIT(not available)Central facilities of the university
multiple separated by ;
Hierarchy separated by |
Structure numberHTTP_SHIB_ORGPERSON_ORGUNITNUMBERorgUnitNumber024400
several separated by ;
E-mail addressHTTP_SHIB_ORGPERSON_EMAILADDRESS(not available)alf.bitmeister@hrz.tu-chemnitz.de
Example: Directory dir24 should only be accessible to all employees and students of the TU Chemnitz. This is how .htaccess looks:
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de Student@tu-chemnitz.de
In .../dir24/index.php some attributes of the authenticated person are displayed – How it's programmed.

How to do ...?

  • Only users with a login at the TU Chemnitz (students, employees, external users):
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
  • External queries with login via Web Trust Center, internal without:
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^.+@tu-chemnitz\.de$
Require host tu-chemnitz.de
  • Access only from computers inside the TU Chemnitz with login via Web Trust Center, only employees:
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
    Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
    Require host tu-chemnitz.de
</RequireAll>
  • Access for staff, with some exceptions :
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
    Require shib-attr affiliation Mitarbeiter@tu-chemnitz.de
    <RequireNone>
        Require user login1 login2
    </RequireNone>
</RequireAll>
  • Unprotect a subfolder of a protected folder without authentication:
AuthType None
ShibRequestSetting requireSession 0
Require all granted