cPanel, Using Shibboleth to control who can see your website

The cPanel server is configured as a Shibboleth Service provider. This means that any website on the server can automatically use Shibboleth to require anyone with a valid Illinois NetID to login before seeing all or part of the website.

Requiring login for your entire website

To restrict your entire website, you will need to create a file called .htaccess in your public_html folder. You may already have a .htaccess file with code in it for Wordpress or Drupal if you have those installed. You can add the Shibboleth code to the top of the .htaccess file if it already exists.

  1. Login to cPanel at
  2. In the Commonly Used Features section of your dashboard, click on File Manager
  3. Make sure Show Hidden Files (dotfiles) is checked in the settings. Settings is the gear in the upper right.
  4. Click on the public_html and search for a file called .htaccess (note it starts with a period).
  5. If there is a .htaccess file, right click on the file and choose "Code Edit" on the menu. If there is no .htaccess file, create one by clicking on the +File menu item. Name the file .htaccess and make sure it is in the public_html folder.

  6. Right click on the file and click on Edit on the menu. (Alternatively, you can click on the icon for the .htaccess file and then click on the Edit icon at the top of the page.)
  7. A dialogue box may appear asking you about encoding. Just click on the Edit button to continue.  The editor will open in a new window or tab.
  8. If you are using the cPanel AutoSSL feature for your SSL Certificate use the following lines in your .htaccess file:

    RewriteCond %{ENV:autossl_request} !=yes 
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require shib-session
    Require env autossl_request
    Require expr %{HTTPS} != "on"
  9. If you have your own SSL certificate not issued through cPanel use these lines:
    AuthType Shibboleth
    ShibRequestSetting requireSession 1
    ShibRequestSetting redirectToSSL 443
    Require shib-session
    Require env autossl_request

Requiring login for part of your website

To restrict only part of your website, follow the steps above but put the .htaccess file in the folder that contains the part of the website you would like to restrict to just people with valid Illinois NetIDs. For example, if your website is and you would like to require logins to, then you would put the .htaccess file in the "groupOnly" folder.

See Also: