cPanel, Using Shibboleth to control who can see your website

The cPanel server is configured as a Shibboleth Service provider. This means that any website on the server can automatically use Shibboleth to require anyone with a valid Illinois NetID to login before seeing all or part of the website.

Force HTTPS for your site

Sites using Shibboleth must communicate over HTTPS. If you are already forcing HTTPS redirection in your .htaccess file, remove those rules and use the cPanel-provided redirection instead. This relieves a number of problems with AutoSSL and possible redirect loops during the authentication process.

To enable HTTPS redirection:

  1. Visit your cPanel dashboard and find the item labeled Domains. (The search box at the top of the screen can help.)
  2. Each of your domains will be listed on the resulting page. 
  3. In the column labeled Force HTTPS Redirect, toggle the control to On for the domain you wish to restrict.

Requiring login for your entire website

To restrict your entire website, you will need to create a file called .htaccess in your public_html folder. You may already have a .htaccess file with code in it for Wordpress or Drupal if you have those installed. You can add the Shibboleth code to the top of the .htaccess file if it already exists.

  1. Login to cPanel at https://web.illinois.edu.
  2. In the Commonly Used Features section of your dashboard, click on File Manager
  3. Make sure Show Hidden Files (dotfiles) is checked in the settings. Settings is the gear in the upper right.
  4. Click on the public_html and search for a file called .htaccess (note it starts with a period).
  5. If there is a .htaccess file, right click on the file and choose "Code Edit" on the menu. If there is no .htaccess file, create one by clicking on the +File menu item. Name the file .htaccess and make sure it is in the public_html folder.

  6. Right click on the file and click on Edit on the menu. (Alternatively, you can click on the icon for the .htaccess file and then click on the Edit icon at the top of the page.)
  7. A dialogue box may appear asking you about encoding. Just click on the Edit button to continue.  The editor will open in a new window or tab.
  8. Add the following lines to the file and then save the file.:

    AuthType Shibboleth
    ShibRequestSetting requireSession 1
    Require shib-session

Requiring login for part of your website

To restrict only part of your website, follow the steps above but put the .htaccess file in the folder that contains the part of the website you would like to restrict to just people with valid Illinois NetIDs. For example, if your website is http://mysite.web.illinois.edu and you would like to require logins to http://mysite.web.illinois.edu/groupOnly, then you would put the .htaccess file in the "groupOnly" folder.

If you are using Wordpress, add the following lines above the "# BEGIN WordPress" line in the .htaccess file in your public_html folder (not the folder you want to protect)


# Shibboleth quick-exit
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
 RewriteRule . - [L]

More advanced restrictions

The rules above require a user to be logged in to Shibboleth, but do not perform any authorization steps. You can also restrict your site to specific users, specific AD groups, or Affiliation.

Require specific user(s):

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require shib-user email1@illinois.edu email2@illinois.edu

Require membership in an AD group

AuthType Shibboleth
ShibRequestSetting requireSession 1
Require shib-attr member "urn:mace:uiuc.edu:urbana:unitname:foldername:foldername:group name"

All group names will begin with "urn:mace:uiuc.edu" as the root of the AD. From there, the path elements map to the location of your group in the AD structure.




Keywords:
cPanel, web hosting, Shibboleth, authentication, authorization 
Doc ID:
84989
Owned by:
Web H. in University of Illinois Technology Services
Created:
2018-08-17
Updated:
2023-06-20
Sites:
University of Illinois Technology Services