Apache 2.3 and earlier/Linux

Inital Config

In /etc/httpd/conf.d/shib.conf you will see:

<Location /secure>
  AuthType shibboleth
  ShibRequireSession On
  require valid-user
</Location>

This protects the top level directory "/secure" on the server with Shibboleth and will allow any user successfully logged in to view the content.

Depending on the IDs defined in your /etc/shibboleth/attribute-map.xml file, it is possible to restrict directories/specific files to certain users as well as types/groups of users.

Restricting on UserID

For example, the line:

 <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn" 
aliases
="HTTP_SHIB_EP_PRINCIPALNAME">

allow you to say:

<Location /secure/justoneuser>
  AuthType shibboleth
  ShibRequireSession On
  require eppn specificuser@ncl.ac.uk
</Location>

Because access permissions are based on directory level, this would mean:

https://server.ncl.ac.uk/secure would be accessible by any authenticated user but
https://server.ncl.ac.uk/secure/justoneuser would only be accessible by "specificuser@ncl.ac.uk"

Restricting by user Type

Extending this scenario, it is possible to open up access to a further subdirectory to "staff" for example.  The line:

<Attribute name="urn:ncl:dir:attribute-def:stafforstudent" id="stafforstudent" 
aliases="HTTP_SHIB_EP_STAFFORSTUDENT"/>

in /etc/shibboleth/attribute-map.xml allows you to say:

<Location /secure/justoneuser/anystaff>
  AuthType shibboleth
  ShibRequireSession On
  require stafforstudent staff
</Location>

so, to complete our example:

https://server.ncl.ac.uk/secure would be accessible by any authenticated user but
https://server.ncl.ac.uk/secure/justoneuser would only be accessible by "specificuser@ncl.ac.uk" 
https://server.ncl.ac.uk/secure/justoneuser/anystaff would be accessible by any member of staff.

Alternate configuration Methods

It is also possible to protect content using the /etc/shibboleth/shibboleth2.xml file (as described on the IIS/Windows page).