Set up KU authentication on cPanel servers
If you are hosting your website on a cPanel webserver, you have the option of using Shibboleth to protect your pages (people.ku.edu does NOT support Shibboleth). This will require a user to authenticate with their KU Online ID and password before viewing the page. The catch is users outside of KU will have no way to access your content.
You can restrict access even further, down to specific users, specific department(s) and many, many other criteria. A complete list of attributes available via Shibboleth are available on the kuPerson spec sheet, and a list of how those attributes are accessed can be viewed here: Shibboleth Attribute Mapping. If you want to restrict access to anything beyond all KU users, complete the Shibboleth Attribute Request Form for the attributes you need, or email email@example.com with questions.
More info, including "What is Shibboleth?" can be found at About Shibboleth
Support can be found in the KU Web Developers - Shibboleth thread
Protecting a Directory and All Directories and Files In It
Protecting your pages via Shibboleth is as easy as dropping a file named .htaccess in the directory you wish to protect. Users will then be prompted to authenticate before accessing the content.
To protect all pages within a directory and all files/directories within it, place this code in a file named .htaccess:
AuthType Shibboleth ShibRequireSession On require valid-user ShibRedirectToSSL 443
Protecting Specific Files
If you only need to protect a single file, place this code in .htaccess and replace myfile.shtml with the filename you wish to protect:
<Files myfile.shtml> AuthType Shibboleth ShibRequireSession On require valid-user ShibRedirectToSSL 443 </Files>
You may utilize Apache directives to determine which files/directories to protect.
To protect multiple files, duplicate the single-file protection and change the filename. For example in the above code, duplicate it and change myfile.shtml to myfile2.shtml.
Restrict Access to Specific Users
If you need to explicitly define a list of users who need to access pages, you may use the following code in an .htaccess file. You may add as many users as you want with a space between each user:
AuthType Shibboleth ShibRequireSession On require user firstname.lastname@example.org email@example.com ShibRedirectToSSL 443
Note: Restricting access to specific users using the above code will only work if Shibboleth has not been configured to return custom attributes for that account. You may need to request the attribute corresponding to use .htaccess attribute `user` found in the attribute list.
Restrict Access by Affiliation
To restrict access of a directory to a specific group of users, such as faculty or staff, use the following code in an .htaccess file. You may add as many groups as you want with a space between each group. The user is only required to meet one of the criteria to view the page:
AuthType Shibboleth ShibRequireSession On require affiliation firstname.lastname@example.org email@example.com ShibRedirectToSSL 443
The above code would restrict access to faculty or staff. All other users will be denied access.
Overriding Shibboleth Protection in Sub-directories
You can override the AuthConfig directive by using the following code in an .htaccess file within the directory you wish to remove protection. This will disable Shibboleth for that directory and all directories below it:
Protecting Using Multiple Criteria
Sometimes you may need to authenticate against multiple criteria, such as Faculty within a certain Department. You should add the line ShibRequireAll On to require all listed criteria. The below code would require the user be both a member of the Department 1542000 and a Faculty.
AuthType Shibboleth ShibRequireSession On ShibRequireAll On require affiliation firstname.lastname@example.org require departmentNumber 1542000 ShibRedirectToSSL 443