Default allow access to Shibboleth.sso by default in shibd.conf
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
We add the below config to shibd.conf by default in all of our installations as we have been caught out a few times when using some config directives that result in /Shibboleth.sso and /shibboleth-sp locations not being accessible. Eg: "<Location />" - Protecting / with Shibboleth auth, results is /Shibboleth.sso also being protected by Shibboleth auth "Alias / index.php" - Been used by some third party applications as a way to parse virtual paths - here we use a "php_flag engine off" - but this is probably not quite right for everything as it presumes that PHP is installed
It is easy enough to add, however thought Shibboleth installs may benefit from having this included in the config by default
Ensure access is not stopped by other Auth method to Shibboleth <Location /Shibboleth.sso> Satisfy Any Allow from all AuthType None Require all granted php_flag engine off # Maybe exclude or wrap in an IfModule </Location>
<Location /shibboleth-sp> Satisfy Any Allow from all AuthType None Require all granted php_flag engine off # Maybe exclude or wrap in an IfModule </Location>
Environment
None
Activity
Scott Cantor June 18, 2013 at 2:24 AM
Closing on release.
Scott Cantor May 23, 2013 at 3:08 AM
Ok, for < 2.4, I switched to just add Allow from All and Satisfy Any. That should subvert any AuthType that's set without trying to "unset" AuthType, which isn't supported.
For 2.4, I used AuthType None and Require all granted, since Satisfy is deprecated there.
Scott Cantor May 23, 2013 at 1:34 AM
Then that means I need to pull AuthType entirely and replace it with Satisfy.
Aaron Howell May 23, 2013 at 1:29 AM
Edited
Sorry it seems I got confused on when AuthType None & Require all granted came into apache
Satisfy was not pointless though, as the AuthType/Require rule it is trying to combat could be defined elsewhere, eg: <Location /> AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile /var/www/htpasswd require user username </Location>
Scott Cantor May 21, 2013 at 2:47 PM
Satisfy is also pointless if there's no require rule so I removed that from the older versions.
We add the below config to shibd.conf by default in all of our installations as we have been caught out a few times when using some config directives that result in /Shibboleth.sso and /shibboleth-sp locations not being accessible. Eg:
"<Location />" - Protecting / with Shibboleth auth, results is /Shibboleth.sso also being protected by Shibboleth auth
"Alias / index.php" - Been used by some third party applications as a way to parse virtual paths - here we use a "php_flag engine off" - but this is probably not quite right for everything as it presumes that PHP is installed
It is easy enough to add, however thought Shibboleth installs may benefit from having this included in the config by default
Ensure access is not stopped by other Auth method to Shibboleth
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
AuthType None
Require all granted
php_flag engine off # Maybe exclude or wrap in an IfModule
</Location>
<Location /shibboleth-sp>
Satisfy Any
Allow from all
AuthType None
Require all granted
php_flag engine off # Maybe exclude or wrap in an IfModule
</Location>