Apache 2.4+ / Linux

Inital Config

In /etc/httpd/conf.d/shib.conf you will see:

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

This protects the top level directory "/secure" on the server with Shibboleth and will allow any user successfully logged in to view the content.

Depending on the IDs defined in your /etc/shibboleth/attribute-map.xml file, it is possible to restrict directories/specific files to certain users as well as types/groups of users.

Restricting on UserID

For example, the line:

 <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn" 
 aliases="HTTP_SHIB_EP_PRINCIPALNAME">

allow you to say:

<Location /secure/justoneuser>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-attr eppn specificuser@ncl.ac.uk
</Location>

Because access permissions are based on directory level, this would mean:

https://server.ncl.ac.uk/secure would be accessible by any authenticated user but
https://server.ncl.ac.uk/secure/justoneuser would only be accessible by "specificuser@ncl.ac.uk"

Restricting by user Type

Extending this scenario, it is possible to open up access to a further subdirectory to "staff" for example.  The line:

<Attribute name="urn:ncl:dir:attribute-def:stafforstudent" id="stafforstudent" 
aliases="HTTP_SHIB_EP_STAFFORSTUDENT"/>

in /etc/shibboleth/attribute-map.xml allows you to say:

<Location /secure/justoneuser/anystaff>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-attr stafforstudent staff
</Location>

so, to complete our first example:

https://server.ncl.ac.uk/secure would be accessible by any authenticated user but
https://server.ncl.ac.uk/secure/justoneuser would only be accessible by "specificuser@ncl.ac.uk" 
https://server.ncl.ac.uk/secure/justoneuser/anystaff would be accessible by any member of staff.

Restricting using Grouper Groups:

Restricting via Active Directory provisioned Grouper Groups is possible with the following configuration:

    <Attribute name="urn:ncl:dir:attribute-def:grouper_groups" id="grouper_groups"/>

in /etc/shibboleth/attribute-map.xml allows you to say:

<Location /secure/group>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-attr grouper_groups Applications:D-NUIT:Protected Web Content:NUIT_Auto_Internal
</Location>

Note:  The full path of the Grouper group is required and can be found in Grouper.

Alternate configuration Methods

It is also possible to protect content using the /etc/shibboleth/shibboleth2.xml file (as described on the IIS/Windows page).