Protecting websites with Shibboleth (mod_shib)
If your web server uses Shibboleth (mod_shib) for authentication, you can restrict resources to individuals in specific workgroups by using a special file called .htaccess.
- Using a text editor, create a plain text file named .htaccess (note the dot before the name).
- Enter the following lines in the file:
AuthType shibboleth ShibRequestSetting requireSession true Require shib-attr entitlement helpdesk:consultants helpdesk:managers
List all the workgroup names you want to include on the same line, separated by a space.
Enter the complete workgroup name (stem:id), including the tilde (~) for personal workgroups, and end with a blank line.
Please Note: The configuration above does not work with websites hosted on web.stanford.edu. If you are hosting on web.stanford.edu, see below for instructions on how to protect your website with WebAuth.
- Transfer the file to the directory you want protected (using Fetch, Dreamweaver or any other file-transfer method).
- When anyone attempts to access the directory containing this .htaccess file, they'll be asked to login via Weblogin. Only members of the workgroup you have entered in the .htaccess file will be given access to the directory.
Protecting websites with WebAuth
If your web server uses WebAuth for authentication, you can restrict resources to individuals in specific workgroups by using a special file called .htaccess. Note: WebAuth is deprecated, but is currently the only supported way to restrict access on the central web servers (i.e. web.stanford.edu).
- Using a text editor, create a plain text file named .htaccess (note the dot before the name)
-
Enter the following lines in the file:
AuthType WebAuth require privgroup helpdesk:consultants helpdesk:managers
List all the workgroup names you want to include on the same line, separated by a space. Enter the complete workgroup name (stem:id), including the tilde (~) for personal workgroups, and end with a blank line. - Transfer the file to the directory you want protected (using Fetch, Dreamweaver or any other file-transfer method).
- When anyone attempts to access the directory containing this .htaccess file, they'll be asked to login via Weblogin.
- Only members of the workgroup you have entered in the .htaccess file will be given access to the directory.
System-maintained groups
There is a set of system-maintained privgroups and workgroups.
These privgroups can be used in a .htaccess file:
| stanford:faculty | includes regular faculty, emeritus faculty, faculty on leave, incoming faculty, faculty affiliates, and other teaching faculty; does not include nonactive faculty |
| stanford:staff | includes regular staff, academic staff, staff on leave, emeritus staff, and other teaching staff; does not include casual staff (less than 50% time), temporary staff (less than a 6-month appointment), affiliate staff, Medical Center staff (sumc), retired staff, student staff or nonactive staff |
| stanford:student | includes regular students, students on leave, and MLA students; does not include NDO (non-degree option) students, incoming students, contingent students, students not registered, recent students, or nonactive students |
| stanford:stanford | union of faculty, staff, and student groups above |
| stanford:academic | faculty and student groups above, plus NDO (non-degree option) students, retired faculty, and academic staff |
| stanford:administrative | faculty and staff groups above, plus retired faculty, casual staff (less than 50% time), temporary staff (less than a 6-month appointment), and sponsored affiliates (anyone sponsored for a full or base SUNet ID) |
