Single sign-on for webspaces

This user guide will help you to use single sign-on (SSO) for your webspace. The webspace is then only accessible to selected groups of users who have to log in with their u:account userID and password. The SSO prepared for webspaces is called Shibboleth.

 Note

In WordPress webspaces, some access protection functions are not supported. We therefore recommend that you do not change the .htaccess file created by WordPress.

 Note

If you want to set up general access protection without u:accounts for areas of your webspace, see the user guide for Directory Protection.

Activating Shibboleth (SSO) in webspace admin

In the webspace admin, select the Shibboleth (SSO) setting in the Settings tab of the corresponding webspace and click Activate.

There, select the data ("Attributes") that are to be transmitted to your application within the scope of SSO.

In the interest of data protection, select only the absolutely necessary options. The following attributes are available for selection:

  • Federated userID (eppn): This allows users to be distinguished from different IDPs, even if they use the same UserID locally.

    • Example: jamied99@univie.ac.at

  • UserID (uid): u:account userID

    • Example: jamied99

  • E-mail address (mail): The university e-mail address of the registered u:account. If there is no e-mail address of the University of Vienna available for the logged in u:account, no data will be transmitted.

    • Example: jamie.doe@univie.ac.at

  • First name (givenName)

    • Example: Jamie

  • Last name (sn)

    • Example: Doe

  • Display name (displayName): May differ from First Name Last Name

    • Example: Jamie Doe

  • Affiliation (affiliation): Describes the relationship to the University of Vienna:

    • student@univie.ac.at: The account has student rights.
    • faculty@univie.ac.at: The account has rights of academic university staff.
    • staff@univie.ac.at: The account has rights of non-academic university staff.
    • employee@univie.ac.at: The account has employee rights (faculty or staff).
    • member@univie.ac.at: The account is member of the University of Vienna (student or employee).
    • affiliate@univie.ac.at: The account has rights of a person associated with the University, e.g. personnel not directly employed with the university or a guest account supported ("befürwortet") by institutes.

  • Group memberships (ismemberof): Groups of which the logged in account is a member of

    • Example: Automatic:Pers:G_a_all_employees

Then, click Save (Speichern) next to the field.

The attributes are available after logging in as a web server array in PHP: $_SERVER['REMOTE_USER'], $_SERVER['uid'], $_SERVER['displayName'] etc.

The REMOTE_USER variable in the Apache web server is populated with either the eppn or the uid of the logged in account, with eppn taking precedence.

Testing SSO

If your host name is e. g. pugilistik.univie.ac.at, you can trigger an SSO process by opening the following:

https://pugilistik.univie.ac.at/Shibboleth.sso/Login?target=https://pugilistik.univie.ac.at/Shibboleth.sso/Session

The Apache web server module shows whether a session has been established and whether or which attributes have been passed.

Access control with .htaccess (Examples)

Create a new file with the name .htaccess in the html folder of the webspace. If you do not need access protection for the entire website, create the file in the corresponding subfolder. Edit it with a text editor (e.g. Notepad++) according to the examples given.


Login required, but all users allowed

AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user


Login only allowed for individual userIDs

In the web space admin, activate either Federated UserID [eppn] or userID [uid].

If Federated UserID [eppn] is active, enter the userIDs in the form userID@univie.ac.at separated by spaces:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-user zufallr0@univie.ac.at zufallr1@univie.ac.at zufallr2@univie.ac.at

If userID [uid] is active, enter the userIDs without suffix separated by spaces. In this case, only UserIDs of the University of Vienna are allowed:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-user zufallr0 zufallr1 zufallr2


Login only for certain groups of people at the University of Vienna

In the webspace admin activate Affiliation [affiliation].

Only active employees of the University of Vienna:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation employee@univie.ac.at

Only active students of the University of Vienna:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation student@univie.ac.at

Only active employees and students of the University of Vienna:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation employee@univie.ac.at student@univie.ac.at


Login only for active employees of an organisational unit of the University of Vienna allowed

Activate group memberships [ismemberof] in the web space admin and replace the two entries A0000 with the respective institute or department number. If you yourself are a member of the respective organisational unit, the corresponding entry will be displayed in the data passed on to the website when you log in for the first time using Shibboleth.

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr ismemberof Automatic:Inum:A0000:G_a_A0000_staff_all