Mix Basic Auth and Shibboleth

Nate Klingenstein ndk at signet.id
Sun Sep 12 04:44:31 UTC 2021


I don't think Apache allows for multiple different AuthTypes in the same configuration stanza.  It's last(or closest match) directive wins.

Shibboleth has back door authentication functionality that you should be able to wire up to the crawler.  If in the instantiation you can have it create a Shibboleth session, it should then be able to crawl the rest of the site as if it had authenticated with SAML.


Alternatively, you can try these Apache gymnastics.  I haven't done so myself.


Replace Mellon with Shibboleth.

Hope this helps,

Signet, Inc.
The Art of Access ®


-----Original message-----
From: chad phillips
Sent: Sunday, September 12 2021, 4:03 am
To: users at shibboleth.net
Subject: Mix Basic Auth and Shibboleth


I have Shibboleth setup as the service provider for an Apache 2.4 server.  Salesforce is our IDP and everything works well.

We want to have a web crawler crawl the access restricted portions of our website.  The problem is our crawler only supports Basic Authentication.

Is it possible to have an Apache directory restricted by BOTH Shibboleth and Basic Auth?  I would like the crawler to be able to use Basic Authentication, but regular users would go through Shibboleth.

I have found a few other posts of people asking the same question, but no definitive answer.

thank you


For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list