Default allow access to Shibboleth.sso by default in shibd.conf

Description

We add the below config to shibd.conf by default in all of our installations as we have been caught out a few times when using some config directives that result in /Shibboleth.sso and /shibboleth-sp locations not being accessible. Eg:
"<Location />" - Protecting / with Shibboleth auth, results is /Shibboleth.sso also being protected by Shibboleth auth
"Alias / index.php" - Been used by some third party applications as a way to parse virtual paths - here we use a "php_flag engine off" - but this is probably not quite right for everything as it presumes that PHP is installed

It is easy enough to add, however thought Shibboleth installs may benefit from having this included in the config by default

  1. Ensure access is not stopped by other Auth method to Shibboleth
    <Location /Shibboleth.sso>
    Satisfy Any
    Allow from all
    AuthType None
    Require all granted
    php_flag engine off # Maybe exclude or wrap in an IfModule
    </Location>

<Location /shibboleth-sp>
Satisfy Any
Allow from all
AuthType None
Require all granted
php_flag engine off # Maybe exclude or wrap in an IfModule
</Location>

Environment

None

Activity

Scott Cantor June 18, 2013 at 2:24 AM

Closing on release.

Scott Cantor May 23, 2013 at 3:08 AM

Ok, for < 2.4, I switched to just add Allow from All and Satisfy Any. That should subvert any AuthType that's set without trying to "unset" AuthType, which isn't supported.

For 2.4, I used AuthType None and Require all granted, since Satisfy is deprecated there.

Scott Cantor May 23, 2013 at 1:34 AM

Then that means I need to pull AuthType entirely and replace it with Satisfy.

Aaron Howell May 23, 2013 at 1:29 AM
Edited

Sorry it seems I got confused on when AuthType None & Require all granted came into apache

Satisfy was not pointless though, as the AuthType/Require rule it is trying to combat could be defined elsewhere, eg:
<Location />
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /var/www/htpasswd
require user username
</Location>

Scott Cantor May 21, 2013 at 2:47 PM

Satisfy is also pointless if there's no require rule so I removed that from the older versions.

Fixed

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Affects versions

Created August 13, 2012 at 1:27 AM
Updated August 6, 2021 at 10:05 PM
Resolved May 20, 2013 at 3:50 PM