cPanel, Using Shibboleth to control who can see your website
Force HTTPS for your site
Sites using Shibboleth must communicate over HTTPS. If you are already forcing HTTPS redirection in your .htaccess file, remove those rules and use the cPanel-provided redirection instead. This relieves a number of problems with AutoSSL and possible redirect loops during the authentication process.
To enable HTTPS redirection:
- Visit your cPanel dashboard and find the item labeled Domains. (The search box at the top of the screen can help.)
- Each of your domains will be listed on the resulting page.
- In the column labeled Force HTTPS Redirect, toggle the control to On for the domain you wish to restrict.
Requiring login for your entire website
To restrict your entire website, you will need to create a file called .htaccess in your public_html folder. You may already have a .htaccess file with code in it for Wordpress or Drupal if you have those installed. You can add the Shibboleth code to the top of the .htaccess file if it already exists.
- Login to cPanel at https://web.illinois.edu.
- In the Commonly Used Features section of your dashboard, click on File Manager
- Make sure Show Hidden Files (dotfiles) is checked in the settings. Settings is the gear in the upper right.
- Click on the public_html and search for a file called .htaccess (note it starts with a period).
- If there is a .htaccess file, right click on the file and choose "Code Edit" on the menu. If there is no .htaccess file, create one by clicking on the +File menu item. Name the file .htaccess and make sure it is in the public_html folder.
- Right click on the file and click on Edit on the menu. (Alternatively, you can click on the icon for the .htaccess file and then click on the Edit icon at the top of the page.)
- A dialogue box may appear asking you about encoding. Just click on the Edit button to continue. The editor will open in a new window or tab.
Add the following lines to the file and then save the file.:
AuthType Shibboleth ShibRequestSetting requireSession 1 Require shib-session
Requiring login for part of your website
To restrict only part of your website, follow the steps above but put the .htaccess file in the folder that contains the part of the website you would like to restrict to just people with valid Illinois NetIDs. For example, if your website is http://mysite.web.illinois.edu and you would like to require logins to http://mysite.web.illinois.edu/groupOnly, then you would put the .htaccess file in the "groupOnly" folder.
If you are using Wordpress, add the following lines above the "# BEGIN WordPress" line in the .htaccess file in your public_html folder (not the folder you want to protect)
# Shibboleth quick-exit
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]More advanced restrictions
The rules above require a user to be logged in to Shibboleth, but do not perform any authorization steps. You can also restrict your site to specific users, specific AD groups, or Affiliation.
Require specific user(s):
AuthType Shibboleth ShibRequestSetting requireSession 1 Require shib-user email1@illinois.edu email2@illinois.edu
Require membership in an AD group
AuthType Shibboleth ShibRequestSetting requireSession 1 Require shib-attr member "urn:mace:uiuc.edu:urbana:unitname:foldername:foldername:group name"
All group names will begin with "urn:mace:uiuc.edu" as the root of the AD. From there, the path elements map to the location of your group in the AD structure.