which means the https://servername.ncl.ac.uk/secure directory is proteted by Shibboleth but accessible by any autenticated user.

Restricting by UserID

Adding:

 <Path name="secure/justoneuser" authType="shibboleth" requireSession="true">
   <AccessControl>
    <Rule require="eppn">specificuser@ncl.ac.uk</Rule>
   </AccessControl>
</Path>

inside the <Host> element, would mean the subdirectory https://servername.ncl.ac.uk/secure/justoneuser was protected by Shibboleth and only available to the user "specificuser@ncl.ac.uk".

Restricting by User Type

Finally, adding:

 <Path name="secure/justoneuser/anystaff" authType="shibboleth" requireSession="true">
   <AccessControl>
    <Rule require="stafforstudent">staff</Rule>
   </AccessControl>
</Path>

inside the <Host> element, would mean that https://servername.ncl.ac.uk/secure/justoneuser/anystaff was again protected by Shibboleth and only available to staff users.

Protecting the Entire Server

In order to protect the whole server (https://server.ncl.ac.uk/anything) the configuration looks a little different:

<Host name="servername.ncl.ac.uk" authType="shibboleth" requireSession="true" />

would mean all of https://servername.ncl.ac.uk was protected by Shibboleth and any valid user could access the content on the server after authentication.

Restricting the Entire Server to Staff

<Host name="servername.ncl.ac.uk" authType="shibboleth" requireSession="true">
   <AccessControl>
    <Rule require="stafforstudent">staff</Rule>
   </AccessControl>
</Host>

would mean all of https://servername.ncl.ac.uk was protected by Shibboleth and only staff could access the content on the server after authentication.