How to use htaccess and SAML Attribute to secure your web content on OIT Plesk Servers

This FAQ was last modified on: Tuesday, August 14, 2018 01:57pm
Category: 

What is the benefit of this type of authentication?

Using .htaccess file with SAML Attribute can help you to secure your web content. It helps you to allow only users who have the specified SAML attribute value to access your protected web content.  For example, you can allow only GT employees (cas-attribute eduPersonAffiliation:employee) to access a specific web directory on your website.

Requirements:

1. mod_auth_cas enabled on your hosting account (All of the web hosting accounts on Plesk have mod_auth_cas enabled globally.)

2. SAML authentication enabled on your hosting account (All of the web hosting accounts on Plesk has SAML authentication enabled globally.)

3. Please submit a request to support@oit.gatech.edu to have the proxy of your site set up for CAS/SAML authentication. (Note: Nginx is running in front of Apache on OIT Plesk Web Hosting, therefore, Nginx will interfere with this SAML of authentication. OIT Web Hosting team can create a rule to overwrite the Proxy from Nginx for your site specifically.) 

What do you need to do to be able to use this authentication feature?

1. You need to submit a data request to GT Identity and Access Management team (IAM) (https://iam.gatech.edu/gted/data_steward_request.html).  You need to specify what data (ex. displayName, gtAccountEntitlement, gtPersonEntitlement, etc.) your site wants to use to authenticate user to be able to access your specific directory. More information about Georgia Tech Enterprise Directory (GTED) is here http://iamweb1.iam.gatech.edu/docs/services/GTED.

Here are some examples of the SAML Attribute you can request from IAM team:

  • eduPersonAffiliation:employee
  • eduPersonScopedAffiliation:staff@YOURDEPARTMENT
  • gtPersonEntitlement:/gt/departmental/YOURDEPARTMENT/iYOUR-DEPARTMENT-facstaff/enabled
  • gtAccountEntitlement:/gt/gtad/_YOURCOLLEGE/YOURADOU/grYOURADOU-SOMEGROUP
  • gtActiveCourse:YOURSCHOOL/COURSENUMBER/SECTION/CRN

2. Create a .htaccess file in a directory where you want to secure your web content.

3. Add the following line to your newly created .htaccess file (You will need to tweak on the third line to suit your site's requirement.) In the example below, only GT employee will be able to access the web content where your htaccess file is located.

AuthType CAS
CASAuthNHeader On
require cas-attribute eduPersonAffiliation:employee

4. Run some tests. Have people with and without that specific SAML attribute to go on a web browsers and open any web content inside that directory. It should prompt them to login. After they complete the login, users with that specific SAML attribute should be able to access the web content via a web browser (but not the ones who do not have that specific SAML attribute.)

Note: You should have basic troubleshooting knowledge on how to check if your site receives the SAML attributes and if it receives the correct attribute. We're not covering this here because it is out of the scop of this specific FAQ.