## SHIB Config
######
+#
+# Load the Resource Manager and SHIRE modules.
+# Note that ORDER MATTERS! Apache runs the modules in the
+# _reverse_ order that modules were loaded. The RM module
+# depends on the Shire module, so you need this load-order
+# to make sure they are run properly.
+#
+# If you see log messages about "NOOP" configurations, then you
+# have messed this up.
+#
LoadModule shibrm_module /opt/shibboleth/libexec/mod_shibrm.so
LoadModule shire_module /opt/shibboleth/libexec/mod_shire.so
+#
# Global SHIRE Configuration
+# This is the INI file that contains all the global, non-apache-specific
+# configuration. Look at this file for most of your configuration
+# parameters.
+#
SHIREConfig /opt/shibboleth/etc/shibboleth/shibboleth.ini
-# Set the SHIRE POST processor URL
+#
+# The SHIRE POST processor URL
+# Most of the time, this should be a path only, so that the schema,
+# host, and port will determined dynamically in each virtual host. If
+# for some reason the dynamically derived URL is not appropriate, a
+# complete URL can be used, and may be set per-vhost explicitly:
+# SHIREURL https://<server-name>/shibboleth/SHIRE
+#
+# The SHIREURL and subsequent "Location" handler must match.
+#
SHIREURL /shibboleth/SHIRE
<Location /shibboleth/SHIRE>
SetHandler shib-shire-post
</Location>
+#
# Basic Attribute Mappings
+# Register attributes you wish to recognize and map them to an
+# authorization "alias" for use with require directives.
+# REMOTE_USER is a special case, suggested for use with EPPN,
+# and is automatically checked by a "require user" rule.
+# The parameter syntax is <attribute-uri> <HTTP-header> [<alias>]
+#
ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonPrincipalName REMOTE_USER
ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonAffiliation Shib-EP-Affiliation affiliation
+ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonPrimaryAffiliation Shib-EP-PrimaryAffiliation primary-affiliation
ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonEntitlement Shib-EP-Entitlement entitlement
+#
# Configure a test directory
+#
+# You need _at least_ a "require" option for shib to take effect for this
+# directory. You can either set the AuthType to "shibboleth", or you can
+# turn on ShibBasicHijack.
+#
<Location /secure>
AuthType shibboleth
require valid-user