Topics Map > Communication and collaboration > cPanel web hosting
cPanel, Using Shibboleth to control who can see your website
Force HTTPS for your site
Sites using Shibboleth must communicate over HTTPS. If you are already forcing HTTPS redirection in your .htaccess file, remove those rules and use the cPanel-provided redirection instead. This relieves a number of problems with AutoSSL and possible redirect loops during the authentication process.
To enable HTTPS redirection:
- Visit your cPanel dashboard and find the item labeled Domains. (The search box at the top of the screen can help.)
- Each of your domains will be listed on the resulting page.
- In the column labeled Force HTTPS Redirect, toggle the control to On for the domain you wish to restrict.
Requiring login for your entire website
To restrict your entire website, you will need to create a file called .htaccess in your public_html folder. You may already have a .htaccess file with code in it for Wordpress or Drupal if you have those installed. You can add the Shibboleth code to the top of the .htaccess file if it already exists.
- Login to cPanel at https://web.illinois.edu.
- In the Commonly Used Features section of your dashboard, click on File Manager
- Make sure Show Hidden Files (dotfiles) is checked in the settings. Settings is the gear in the upper right.
- Click on the public_html and search for a file called .htaccess (note it starts with a period).
- If there is a .htaccess file, right click on the file and choose "Code Edit" on the menu. If there is no .htaccess file, create one by clicking on the +File menu item. Name the file .htaccess and make sure it is in the public_html folder.
- Right click on the file and click on Edit on the menu. (Alternatively, you can click on the icon for the .htaccess file and then click on the Edit icon at the top of the page.)
- A dialogue box may appear asking you about encoding. Just click on the Edit button to continue. The editor will open in a new window or tab.
-
Add the following lines to the file and then save the file.:
AuthType Shibboleth ShibRequestSetting requireSession 1 Require shib-session
Requiring login for part of your website
To restrict only part of your website, follow the steps above but put the .htaccess file in the folder that contains the part of the website you would like to restrict to just people with valid Illinois NetIDs. For example, if your website is http://mysite.web.illinois.edu and you would like to require logins to http://mysite.web.illinois.edu/groupOnly, then you would put the .htaccess file in the "groupOnly" folder.
If you are using Wordpress, add the following lines above the "# BEGIN WordPress" line in the .htaccess file in your public_html folder (not the folder you want to protect)
# Shibboleth quick-exit
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]
More advanced restrictions
The rules above require a user to be logged in to Shibboleth, but do not perform any authorization steps. You can also restrict your site to specific users, specific AD groups, or Affiliation.
Require specific user(s):
AuthType Shibboleth ShibRequestSetting requireSession 1 Require shib-user email1@illinois.edu email2@illinois.edu
Require membership in an AD group
AuthType Shibboleth ShibRequestSetting requireSession 1 Require shib-attr member "urn:mace:uiuc.edu:urbana:unitname:foldername:foldername:group name"
All group names will begin with "urn:mace:uiuc.edu" as the root of the AD. From there, the path elements map to the location of your group in the AD structure.
Important Note 1
If you are using BOTH the Shibboleth access settings as described here and also cPanel, configuring the WordPress Shibboleth Plugin, you will need to manually update your .htaccess file after installing the shibboleth plugin. You will need to remove the sections added by the shibboleth plugin. If you do not, the more permissive settings the plugin adds to the .htaccess file will override your access restrictions. These lines will normally be at the very end of your .htaccess file and look like this:
# BEGIN Shibboleth
# The directives (lines) between "BEGIN Shibboleth" and "END Shibboleth" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_shib>
AuthType shibboleth
Require shibboleth
</IfModule>
<IfModule mod_shib.c>
AuthType shibboleth
Require shibboleth
</IfModule>
<IfModule mod_shib.cpp>
AuthType shibboleth
Require shibboleth
</IfModule>
# END Shibboleth
Important Note 2
Some users are members of very many AD groups. Since the member attribute contains all of their group memberships, it is possible for this number to be so large that the web server cannot process the header that is sent for that user. For this reason, we have created a shortened member attribute for you to use. Using the shorter member attribute is preferred, but the configuration is more complicated, as it requires direct modification of the .htaccess file. To use the shortened attribute, edit your .htaccess file so that everywhere you see:
AuthType shibboleth
Require shibboleth
It instead reads:
AuthType shibboleth
ShibRequestSetting applicationId uofi-short-member
Require shibboleth
Then, when specifying your group names, exclude the urn:mace:uiuc.edu portion and begin with the urbana token, so
- urbana:your ou:your subfolder:your group for this role
If you still have users who cannot access your site due to "Header too large" or similar error, create a ticket at https://go.illinois.edu/cpanelhelp. We can create a separate application ID for your use that filters groups more specifically to the groups you will be using.
Group Name Tools
https://listmyadgroups.web.illinois.edu has tools to list the AD groups you are personally a member of in formats needed to make this plugin work. If you are not a member of the group you wish to authorize, you can ask that a member of that group log in to the tool and provide you with the group name[s] needed.