XML Access Control

If you plan to use the Shibboleth XML access control rules with Apache (e.g. in order to dynamically protect a location), there a different ways to realize this. Here, we show you some details of a typical configuration with externalized ACLs.

To use Shibboleth with XML Access Control you need to

  1. create ACL files in the directories that you want to protect
  2. enable Shibboleth for the desired directories
  3. configure the RequestMapper for your (v)host
  4. keep a look at your Apache aliases

Some basic configuration is documented here for Shibboleth 2.x and here for Shibboleth 1.3.

ACL files

  • You may use the AND, OR and NOT operators.
  • Rules are defined with the <Rule> Tag.
  • For Shibboleth 2.x there is an additional <RuleRegex> Rule for regular expression matching.
  • Place the file in the desired directory and call it .shibacl.xml
<?xml version="1.0" encoding="UTF-8"?>
<AccessControl xmlns="urn:mace:shibboleth:target:config:1.0">
			<!-- only shibboleth 2.x -->
                        <RuleRegex require="affiliation" ignoreCase="true">^faculty@.+\.edu$
			<Rule require="workGroup">member@osu.edu</Rule>
			<Rule require="uid">ppeters mmuster</Rule>
			<Rule require="principal">ppeters@hm.edu mmuster@hm.edu extuser@uni-muenchen.de</Rule>
			<Rule require="unscoped-affiliation">member</Rule>
		<Rule require="studyTerm">1</Rule>

Attribute Names

If you wonder where to define the names of the attributes you can check for, have a look at the AAP.xml (Shibboleth 1.3.x) file (Attribute Acceptance Policy) or the attribute-map.xml (Shibboleth 2.x) file, which usually is located in /etc/shibboleth/ or /etc/shibboleth2/. That file lists all attributes that have an alias name, which can be used for the access rules.

Enable Shibboleth for the desired directories

You have to make sure that the Shibboleth module actually is active for the specific location or the whole web server. This can be done by using a rule in the Apache configuration as follows:

<Location />
    AuthType shibboleth
    Require shibboleth


<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    AuthType shibboleth
    Require shibboleth

However, you may also use .htaccess files that enable shibboleth only for a specific location. So you'd create a corresponding .htaccess file for every .shibacl.xml with the following contents.

AuthType shibboleth
Require shibboleth
#ShibRequireSession On

Configure the RequestMapper

If you want to define nested xml access control you have to use nested <Path> tags in shibboleth.xml:

<Host name="sp.intern">
	<Path name="testxml" authType="shibboleth" requireSession="true">
			type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl" />
		<Path name="sub" authType="shibboleth" requireSession="true">
				type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl" />

The following configuration won't work:

<Host name="sp.intern">
	<Path name="testxml" authType="shibboleth" requireSession="true">
			type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl" />
	<Path name="testxml/sub" authType="shibboleth" requireSession="true">
			type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl" />

Multiple path segments in a single element are not supported when the pathes overlap. We configured access control using multiple path segments in one element and when there was a need to configure more restricted access control for a subdirectory of such an element that lead to unexpected behaviour.

Finally, this means that an admin has to check every Path element every time he configures a Path, because he may configure Path segments that overlap. Thus, you should not use the feature of multiple path segments in a single element at all.


The Shibboleth plugin evaluates the request URI to determine whether a specific location needs to be protected or not. One consequence of this behaviour is, that whenever you configure an Apache alias for a protected location you have to add a corresponding <Path> directive to your shibboleth.xml, too.

Additional Access control

It is possible to configure additional mod_access directives like

Allow from

in .htaccess files in the specific location. These directives are evaluated before the Shibboleth ACLs.

Using htpasswd

If you want to grant access to a subject outside of the AAI you may configure an alternative htpasswd protection. The downside of this configuration is that you have to choose between htpasswd and Shibboleth. Using both for one location is not possible. However, if you still want do it (e.g. for subversion), you need to configure

AllowOverride all

for the specific location in your apache configuration and place a .htaccess that overrides the Shibboleth ACLs.

  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/svn/dav_svn.passwd
  Require valid-user
xml_access_control.txt · Last modified: 2012/03/24 03:10 (external edit)
Recent changes RSS feed Creative Commons License Driven by DokuWiki Made on Mac