Password Protection by UW NetID

Last updated: January 12, 2023
Audience: All UW

Nearly all students, staff, and faculty have a UW NetID and password which they can use to access to UW network and computing services. You can restrict access to your website to only the specific UW NetIDs you authorize to have access. Since there are no passwords for you to generate and maintain, it is a simple way to protect your website.

Note: CGI and PHP script authors can read the REMOTE_USER environment variable to determine the specific UW NetID of each authenticated visitor.

Step-by-step Instructions

Simple instructions are available for the most common ways to password protect Web pages using UW NetIDs:

Authorizing a Short List of UW NetIDs
Provide access to your own short list of UW NetIDs (e.g. 20 or fewer).

Authorizing Any Valid UW NetID
Provide access to anyone with a valid UW NetID.

Authorizing by UW Group ID
Provide access to the members of a group in the UW Group Service.

Authorizing Participants in a Course
Provide access to participants in a specific UW course or courses.

Authorizing UW NetIDs by Affiliation Type
Provide access to all UW NetIDs of a certain affiliation type. (eg. students, faculty or alumni)

How It Works

Password protection by UW NetID is easy to apply to your website, but a variety of things (cookies, browser redirection, encryption) make it work. Here is a description of what happens when someone requests a file you have protected by UW NetID.

  1. A request is made for a file you have protected by UW NetID authentication.
  2. The server recognizes that the visitor hasn’t authenticated and redirects them to the UW NetID “weblogin” service where they can enter their UW NetID and password.
  3. If the UW NetID and password match, the user is redirected back to the original resource and a session cookie is set on the user’s browser.
  4. Now that the user has been authenticated, the original request is fulfilled, but only if you have authorized the specific UW NetID in your .htaccess file. The UW NetID is extracted by the server and placed into the REMOTE_USER environment variable for use by authors of CGI and PHP scripts.
  5. The session cookie serves as a credential to authenticate the user on subsequent requests for other files in the same website.

Combining Authorization Methods

The authorization methods described above can be combined to create fine grained authorization. By default, each require line is treated as an OR. Here is an example allowing anyone who is either in a course or in a short list of UW NetIDs to view a site.

require shib-attr isMemberOf urn:mace:washington.edu:groups:course_2018sum-acctg215aa
require shib-user netid1 netid2 netid3

If you wish to use AND, you need include ShibRequireAll on. This turns each require line into an AND. Here is an example allowing only staff who are also students access to view a site.

ShibRequireAll on
require shib-attr affiliation student@washington.edu
require shib-attr affiliation staff@washington.edu

This method can be used with any combination of authorization methods requiring UW NetIDs for authorization.