@@ -58,13 +58,16 @@ See the Docker Compose environment (`tools/docker-dev/`) for an (unsafe for prod
5858 - ` npm install `
5959 - ` npx copy-files-from-to `
6060 - ` httpd ` ` DocumentRoot ` set to ` webroot/ `
61- - ` httpd ` Authentication
62- - Any authentication will do as long as it defines ` REMOTE_USER ` , ` givenName ` , ` sn `
61+ - ` httpd ` Authentication:
62+ - Unity uses Shibboleth SP and the Apache Shibboleth module (` apt install shibboleth-sp-utils libapache2-mod-shib ` on Ubuntu)
63+ - Auth must define ` $_SERVER["REMOTE_USER"] ` , ` $_SERVER["givenName"] ` , ` $_SERVER["sn"] ` variables
6364 - ` REMOTE_USER ` must take the form ` username@org `
6465 - ` givenName ` is first name, ` sn ` is last name
6566 - ` mail ` attribute is preferred, but ` REMOTE_USER ` will be used as an email address if ` mail ` is absent
66- - Unity uses Shibboleth SP and the Apache Shibboleth module (` apt install shibboleth-sp-utils libapache2-mod-shib ` on Ubuntu)
67- - ` httpd ` Authorization
67+ - Auth must accept only the domain name(s) configured by the administrator
68+ - this is required because ` $_SERVER["HTTP_HOST"] ` is trusted internally
69+ - in Shibboleth SP, we enforce this using the ` redirectLimit ` setting
70+ - ` httpd ` Authorization:
6871 - Restricted access to ` webroot/admin/ `
6972 - Global access (with valid authentication) to ` webroot/ `
7073 - IP-based access (no authentication) to ` lan/ `
0 commit comments