# You should first initialize your pubcookie keys by setting 'keymgt_uri' in # your /etc/pubcookie/config file for keyclient, and then running: # # 'keyclient; keyclient -G /var/lib/pubcookie/pubcookie_granting.crt' # # Then, select appropriate values for the relevant directives below # (e.g. PubcookieLogin, PubcookieDomain, PubcookieCryptKeyfile, etc.), # and uncomment the following line: #LoadModule pubcookie_module modules/mod_pubcookie.so <IfModule mod_pubcookie.c> # AuthType directive # # Syntax: AuthType type # Context: directory, .htaccess # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # This directive selects the type of user authentication applied to a # resource. It must be accompanied by a require directive when used with # an authentication type handled by mod_pubcookie. # # The type is case-insensitive and can be any name defined by # PubcookieAuthTypeNames or supported as an existing core AuthType (e.g. # Basic). # PubcookieInactiveExpire directive # # Syntax: PubcookieInactiveExpire expire-time-in-seconds # Context: directory, .htaccess # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The duration of inactivity allowed between a user and an application # before the session expires. Expiration due to inactivity causes a loop # thru the login server to obtain a new granting cookie. # # The default value is 30 minutes which is defined as # PBC_DEFAULT_INACT_EXPIRE in pbc_config.h. Minimium inactivity timeout # is five minutes. # # A value of -1 turns off the check for inactivity. # PubcookieHardExpire directive # # Syntax: PubcookieHardExpire expire-time-in-seconds # Context: directory, .htaccess # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The maximum duration of an application session, regardless of user # activity. Expiration due to reaching the hard timeout causes a loop # thru the login server to obtain a new granting cookie. # # The default value is eight hours which is defined as # PBC_DEFAULT_HARD_EXPIRE in pbc_config.h. The minimium is one hour; the # maximium is twelve hours. # PubcookieAppID directive # # Syntax: PubcookieAppID application-name # Context: directory, .htaccess # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The name of the application. The default is the directory path. # # Use of this directive may require that you set AllowOverride All in # httpd.conf. # PubcookieDirDepthforAppID directive # # Syntax: PubcookieDirDepthforAppID depth # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # Allows you to limit the length of default AppIDs to a specific number # of directories. # # The depth is the number of directories that the AppID will be # truncated to. e.g.: # # / 0 # /blah/ 1 # /blah/asdf/ 2 # # This directive has no effect if PubcookieAppID is specified. # PubcookieAppSrvID directive # # Syntax: PubcookieAppSrvID AppServerID # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # Allows you to specify an AppSrvID string, instead of using the default # based on your ServerName. # PubcookieLogin directive # # Syntax: PubcookieLogin url-of-login-server # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The location of the login cgi on the pubcookie login server. PubcookieLogin https://pubcookie.example.edu/login_demo/ # PubcookieLoginMethod directive # # Syntax: PubcookieLoginMethod GET | POST # Context: server config, virtual host # Compatibility: Versions of mod_pubcookie 3.2.0 and higher and Apache # 1.2 and later. # # This directive specifies how authentication requests and responses are # communicated between the module and the login server. # # The default method, GET, is Pubcookie's classic cookie-based messaging # method. It communicates the request and response using meta-refresh # redirects and cookies scoped to the enterprise domain (see # PubcookieDomain). # # The newer method, POST, is closer to the industry standard SAML # Browser/POST profile. It communicates the request and response using # HTTP POST message bodies and uses, but does not require, Javascript to # facilitate the process. It requires an additional PubcookiePostURL # endpoint to consume the initial response sent by the login server. # # All versions of the module prior to 3.2.0 can only use the GET method. # Versions 3.2.0 and higher support either method. # PubcookiePostURL directive # # Syntax: PubcookiePostURL post-reply-url # Context: server config, virtual host # Compatibility: Versions of mod_pubcookie 3.2.0 and higher and Apache # 1.2 and later. # # This directive specifies the URL endpoint used to consume # authentication responses sent from the login server when using the # POST PubcookieLoginMethod. # # The default location is /PubCookie.reply. # PubcookieDomain directive # # Syntax: PubcookieDomain domain # Context: server config, virtual host # Compatibility: Versions of mod_pubcookie 3.0.0 and higher and Apache # 1.2 and later. # # The DNS domain used to scope the cookies that carry the messages in # Pubcookie's classic cookie-based messaging method. It must be at least # a second level domain. # # Note: Sites can use the POST-based messaging method to avoid DNS # domain issues entirely. Sites in country code top-level domains (e.g. # example.ca) must do so, since browsers don't allow cookies to be set # to second level domains within country code top-level domains. See # PubcookieLoginMethod. PubcookieDomain .example.edu # PubcookieGrantingCertfile directive # # Syntax: PubcookieGrantingCertfile filename # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The name of the file containing the login server's certificate used to # verify granting cookies. # # The default is /usr/local/pubcookie/pubcookie_granting.cert which is # defined as PBC_G_CERTFILE in pbc_config.h. PubcookieGrantingCertfile /var/lib/pubcookie/pubcookie_granting.crt # PubcookieSessionKeyfile directive # # Syntax: PubcookieSessionKeyfile filename # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The name of the file containing the private key for session cookies. # # The default is /usr/local/pubcookie/pubcookie_session.key which is # defined as PBC_S_KEYFILE in pbc_config.h. # we use the same key (and cert) used for HTTPS (see ./ssl.conf): PubcookieSessionKeyfile /etc/pki/tls/private/localhost.key # PubcookieSessionCertfile directive # # Syntax: PubcookieSessionCertfile filename # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # # The name of the file containing the certificate for session cookies. # # The default is /usr/local/pubcookie/pubcookie_session.cert which is # defined as PBC_S_CERTFILE in pbc_config.h. # we use the same cert (and key) used for HTTPS (see ./ssl.conf): PubcookieSessionCertfile /etc/pki/tls/certs/localhost.crt # PubcookieCryptKeyfile directive # # Syntax: PubcookieCryptKeyfile filename # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later # # The name of the file containing the symmetric encryption key obtained # from your keyserver for encrypting/decrypting private data. # # The default is /usr/local/pubcookie/c_key which is defined as # PBC_CRYPT_KEYFILE in pbc_config.h. # obtained via 'keyclient', named after our server name PubcookieCryptKeyfile /var/lib/pubcookie/ourserver.example.edu # PubcookieKeyDir directive # # Syntax: PubcookieCryptKeyfile filename # Context: server config, virtual host # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later # # The location of shared keys for encrypting/decrypting cookies. # PubcookieEndSession directive # # Syntax: PubcookieEndSession redirect | clearLogin | on | off # Context: directory, .htaccess # Compatibility: Versions of mod_pubcookie 1.69 and later and Apache 1.3 # and later. # # This directive is used to end an application session. It should be # placed in a child directory or explicitly have the same PubcookieAppID # as the application it is going to affect. (E.g., if /webapp/ defines # the AuthType directive, then /webapp/logout/ would typically be used # to define PubcookieEndSession.) # # With arguments on, redirect, and clearLogin the session cookie is # cleared. Re-requesting the resource will require a trip to the login # server to retrieve a new granting cookie. Note: session cookies of # other applications are not cleared by the PubcookieEndSession # directive, only the session cookie applicable to the scope of the # current application. # # After clearing the session cookie, the redirect and clearLogin # arguments redirect the browser back to the login server which # generates a response page. The clearLogin argument also causes the # login server to clear the user's login cookie. # # The off argument turns off all PubcookieEndSession functionality. # PubcookieEncryption directive # # Syntax: PubcookieEncryption AES | DES | AES+DOMAIN # Context: directory, .htaccess # Compatibility: Versions of mod_pubcookie 3.3.0 and higher and Apache # 1.2 and later. # # This directive defines the encryption algorithm used by the module to # encrypt and decrypt private cookie data, including pre-session and # session cookies as well as the type of encryption it asks for and # expects from the login server for granting cookies and messages. # # In version 3.3.0 and higher, AES encryption is the default (unless the # module has been built with the --enable-default-des option). The only # encryption method supported in earlier versions is DES. Therefore, you # must set this directive to use DES encryption to interoperate with # login servers earlier than version 3.3.0. # # The AES+DOMAIN setting enables the module's wildcard subdomain # capability. # PubcookieSessionCauseReAuth directive # # Syntax: PubcookieSessionCauseReAuth on | off | grace-time-in-seconds # Context: directory, .htaccess # Compatibility: All versions of mod_pubcookie and Apache 1.2 and later. # mod_pubcookie version 3.1 and above required for grace time. # # When set to on, the PubcookieSessionCauseReAuth directive causes the # user to be reauthenticated, thus overriding single sign-on. Users must # re-enter valid credentials to establish an application session. # # Use a grace-time-in-seconds to indicate a grace time wherein no # reauthentication is necessary (e.g., 1800 for 30 minutes of grace # time). This feature allows an application to establish an acceptable # balance between convenience and risk. # PubcookieAuthTypeNames directive # # Syntax: PubcookieAuthTypeNames name1 [name2 ...] # Context: server config, virtual host, directory # Compatibility: Versions of mod_pubcookie 1.77 and higher and Apache # 1.3 and later. # # This directive names the new authentication types added by # mod_pubcookie to the AuthType directive. For example, # PubcookieAuthTypeNames WebISO allows you to use AuthType WebISO. # # The ordered list of the names maps each new authentication type # directly to an intrinsic Pubcookie credential type: name1 is # credential type "1", name2 is credential type "2", and so on. This is # how Pubcookie ties each AuthType to a different "login flavor" handled # by the login server. Of course, most sites have only one login flavor, # the basic flavor, and therefore only need to specify one name. Note: # if necessary, a value of null can be used to define an unused position # in the ordered list of PubcookieAuthTypeNames. # # PubcookieAuthTypeNames is required in mod_pubcookie 1.77 and higher. # All users upgrading to mod_pubcookie 1.77 or higher must add this # directive to their server configuration. PubcookieAuthTypeNames WebISO # PubcookieNoPrompt directive # # Syntax: PubcookieNoPrompt on | off # Context: directory, .htaccess # Override: AuthConfig # Compatibility: mod_pubcookie 3.1 and later; it also requires a 3.1 or # later login server # # This directive prevents the login server from displaying the login # page, while still allowing single sign-on to the resource if the user # has already logged in. # # If the user already has a valid login cookie they will be logged in # normally: i.e., returned to the application and given a standard # session cookie. If, on the other hand, they do not have a valid login # cookie they will be silently returned to the application (i.e., they # won't be prompted to log in) and given a session cookie with a blank # id. # # The AUTH_TYPE and REMOTE_USER environment variables will be set only # if the user has a valid login cookie, thus taking advantage of the # no-prompt option and single sign-on. These environment variables will # not be set (just like any other unauthenticated request) if the user # has no valid login cookie. # # Notes: Users may find sites behave inconsistently when the no-prompt # option is in use, not realzing that the behavior depends on whether # they've already logged in. Also, because a session cookie with the # blank id is established when the user hasn't already logged in, the # session will remain anonymous for the duration of the session, even if # the user subsequently logs in elsewhere. # PubcookieOnDemand directive # # Syntax: PubcookieOnDemand key directive1 directive2... # Context: directory, .htaccess # Override: AuthConfig # Compatibility: mod_pubcookie 3.1 and later; it also requires a 3.1 or # later login server # # This directive controls the module's on-demand functionality. # # Directives used on demand are normally quiescent and have no effect. # Only the presence of the activation cookie, OnDemandKey, with a value # matching the key, activates the associated on-demand directives # (directive1, directive2...) and sets the environment variable # ON_DEMAND_KEY to the active on-demand key. The activation cookie must # accompany each request for resource to be protected on demand. # # The following directives can be used on demand (i.e. can be tied to, # and activated by, an on-demand key): # * AuthType # * Require # * PubcookieInactiveExpire # * PubcookieHardExpire # * PubcookieAppID # * PubcookieEndSession # * PubcookieSessionCauseReAuth # * PubcookieAddlRequest # * PubcookieNoPrompt # # Activated PubcookieOnDemand directives will overrule any equivalent # directives specified elsewhere. # # Notes: The activation cookie, OnDemandKey, and its key value are plain # text. Applications must query the ON_DEMAND_KEY environment variable # to make sure the remote user is authenticated and authorized according # to the desired on-demand key. Therefore, applications must also allow # for, and adjust to, missing or null REMOTE_USER and ON_DEMAND_KEY # environment variables. # PubcookieAddlRequest directive # # Syntax: PubcookieAddlRequest opt1=val1 [opt2=val2...] # Context: directory, .htaccess # Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3 # and later. # # This directive allows the application to give arbitrary requests to # the login server. The directive causes the following options to be # sent to the login server along with authentication requests. # # Currently, it is site-defined what options cause what sort of # responses from the login server and how these responses are returned. # Eventually, there will be a standardized mechanism for returning # answers. Likely they will be returned in extensions to the granting # response and set as environment variables. # PubcookieNoObscureCookies directive # # Syntax: PubcookieNoObscureCookies on | off # Context: server config, virtual host # Compatibility: Versions of mod_pubcookie 3.2.1 and higher and Apache # 1.3 and later. # # By default, session cookies are obscured by the module before being # exposed to other handlers. To hand session cookies to other handlers # (such as CGI programs) set this directive. # PubcookieNoBlank directive # # Syntax: PubCookieNoBlank on | off # Context: server config, virtual host # Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3 # and later. # # This directive is deprecated in versions 3.2.1 and higher. Use the # PubcookieNoObscureCookies directive instead. # PubcookieEgdDevice directive # # Syntax: PubcookieEgdDevice location # Context: server config, virtual host # Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3 # and later. # # Location of EGD socket (e.g. /dev/egd-pool) if your system lacks # entropy. # and here is an example on how to configure directories to use PubCookie: #<Directory "/var/www/html"> # <Limit GET POST> # Require valid-user # </Limit> # # AuthType WebISO # PubCookieAppID "DemoPubCookieAuth" # PubCookieInactiveExpire 400 # PubCookieHardExpire 3700 #</Directory> </IfModule>