Shibboleth (Shib2) is widely used as an authentication method for UK universities to academic resources. For various reasons Shibboleth tends to be  cumbersome to manage – at least compared with EZProxy, which is the standard method of remote authentication used by virtually all other parts of the world, and which requires almost zero work on the part of the service provider. Shibboleth in contrast requires quite a high level of commitment and staff IT expertise by both the service provider (eg a publisher) and the service subsriber (usually a university library).

For servers using Apache 2.4 or higher in particular, Shibboleth breaks the Apache ‘basic’ authentication method which is often used as a rough and ready way to protect directories quickly. The error is rather silent in nature – you will simply find that even a valid password will not get you to a protected website or directory.

Thankfully Shibboleth have fixed the issue in version 2.5, but it takes a fair amount of Googling and messing around to find what is in fact an easy fix.

This is how I fixed it (Ubuntu 14.04/Debian).

Create a file called shib2.conf and place it in /etc/apache2/conf-available/

In the file, put the single line:

ShibCompatValidUser On

Run:

> sudo a2enconf shib2
> sudo apache2ctl graceful

And your basic auth Apache directories should allow you in again.

You could also simply add “ShibCompatValidUser On” to apache2.conf, but that risks being overwritten by subsequent upgrades, and a repeat of the process of trying to get to the bottom of an irritating glitch.