DefineExternalGroup mygroup environment /opt/mygroup.sh
<Directory /var/www/secure/test01>
AuthType shibboleth
ShibRequireAll On
AuthzShibAuthoritative Off
Require Shibboleth
ShibRequestSetting requireSession 1
GroupExternal mygroup
Require group foobar
</Directory>
The script /opt/mygroup.sh looks like this (and it's exit value of 0 or 1 is used by Apache to allow/disallow access):
#!/bin/ksh echo "---------------" >> /tmp/mygroup.out echo $* >> /tmp/mygroup.out /usr/bin/env >> /tmp/mygroup.out cat >> /tmp/mygroup.out echo "---------------" >> /tmp/mygroup.out exit 0
After accessing the page (and authenticating against the IdP) the file /tmp/dccgroup.out looks like this:
---------------- _=/usr/bin/env AUTHTYPE=GROUP COOKIE=_shibsession_64656661756c...(digits elided) HTTP_HOST=foo.bar.edu IP=192.168.1.234 PATH=/usr/local/bin:/usr/bin:/bin PWD=/ URI=/secure/test01/hello.html _AST_FEATURES=UNIVERSE - ucb joe.user@BAR.EDU foobar ----------------
So we can get the URI and the value of REMOTE_USER passed into the script.