How to use PennKey accounts for authentication

PennKey authentication is supported in websites in the following domains:

An encrypted connection is mandatory. Protected directories must be accessed via https:// or an error will be returned.

Note: PennKeys are intended for authentication, not authorization. Anyone affiliated with Penn may obtain a PennKey, including faculty, students, staff, alums, spouses and children of faculty/staff, colleagues of Penn faculty, contractors, consultants, people who attend events on the Penn campus, nonhuman service accounts, etc.

Penn is retiring CoSign and standardizing on Shibboleth. If you have restricted access with CoSign, you will need to update your configuration using the instructions below.

Create your .htaccess file

  1. Create a file named .htaccess using your favorite text editor.
  2. To allow access to anyone with a PennKey:

    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require shib-session

    To restrict access to specific PennKey users, list them separated by spaces (clifford and marilyn, in this example):

    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require shib-user clifford marilyn

  3. Save the file and upload it to the directory you want to protect using your favorite FTP client (more info).
  4. Make sure your .htaccess file is readable by the web server. In most cases this will mean making it world readable (more info on changing permissions). For extra security, run the chgrp-httpd command mentioned below to give the web server read access to the directory while preventing anyone else from seeing into it.

Note: If you are comfortable using vi or emacs on the command line, it may be easier to create the file directly on the server.

Setting the directory permissions

Note: it is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.

This final step is important to make make sure people with local accounts can't access your files via the unix file system. Set the correct permissions on your protected folder by running the following command from within the directory you want to protect:

chgrp-httpd .

Note: chgrp-httpd will only run on Eniac.

Using a Visitor's PennKey in Your Code

Once authenticated, you can access a user's PennKey in your code via the web server's REMOTE_USER environment variable.

Here is an example to print the authenticated user's PennKey in PHP:

echo $_SERVER['REMOTE_USER'];
© Computing and Educational Technology Services | Report a Problem
cets@seas.upenn.edu | 215.898.4707