How do I require PennKey authentication to access my website?

PennKey authentication is supported in websites in the following domains:

Most custom domains configured by CETS and hosted on SEAS infrastructure also support PennKey authentication.

Important: An encrypted connection is mandatory. Protected directories must be accessed via HTTPS or an error will be returned.

Note: PennKeys are intended for authentication, not authorization. Anyone affiliated with Penn may obtain a PennKey, including faculty, students, staff, alums, spouses and children of faculty/staff, colleagues of Penn faculty, contractors, consultants, people who attend events on the Penn campus, nonhuman service accounts, etc.

Warning: Penn has retired CoSign and standardized on Shibboleth. If you have restricted access using CoSign, you will need to update your configuration using the instructions below.

You'll need to create or install a plaintext file named .htaccess in the directory you want to protect. This will also restrict access to any subdirectories that it contains. You can log into the account on and create the file with your favorite text editor or transfer the file to the account from your local machine.

To allow access to anyone with a PennKey, include these lines in the .htaccess file:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-session

To restrict access to specific PennKey users, list them separated by spaces (clifford and marilyn, in this example):

AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-user clifford marilyn

Your .htaccess file must be readable by the web server. In most cases, this will mean making it world readable with this command:

chmod 644 .htaccess

See How do I use chmod to change permissions? for more information.

Important: To prevent other accounts on the server from accessing your files via the filesystem, set the correct permissions on your protected folder by running the chgrp-httpd command from within the directory you want to protect.

chgrp-httpd .

Note: it is not advisable to use the chgrp-httpd command if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.

Note: The chgrp-httpd command will only run on Eniac.

How do I access a visitor's PennKey in my code?

Once authenticated, you can access a user's PennKey username (PennName) in your code via the web server's REMOTE_USER environment variable.

Here is an example to print the authenticated user's PennName in PHP:


The following attributes from the Shibboleth authentication session are also available in the environment:

The user's PennName, equivalent to REMOTE_USER
The user's 8-Digit Penn ID
The user's eduPersonPrincipalName (or scoped PennName) returned as
The user's preferred email address from the Penn Directory (may be substituted with if no address is available)
The user's full name, typically returned in a format similar to "Franklin, Benjamin"
The user's surname (family name, last name, etc.)
The user's given name (first name)

Warning: The availability and content of the mail, displayName, sn (surname) and givenName attributes are determined the user and may vary between environments, so your code must not depend on these values being present. Consult the List of Shibboleth attributes available at Penn page for more information.

© Computing and Educational Technology Services