I have the following .htaccess file on our xxx.yyy.edu site, in the root.
<FilesMatch "(.+)\.php">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
ShibRequestSetting redirectToSSL 443
</FilesMatch>
This should only match files that end in .php, and match all files that end in .php, then force authentication. That part of it appears to work fine.
However, it also matches the root url, http://xxx.yyy.edu and http://xxx.yyy.edu/. Which isn’t a good thing, since it is forcing the root of the site to be authenticated.
It does not match xxx.yyy.edu/index.htm, or any other url that has anything after the domain name, like xxx.yyy.edu/students.htm or even xxx.yyy.edu/x
I’ve tested it in www.regexr.com, and it does not match the root url there.
Any thoughts/suggestions appreciated.
You are getting authentication dialog because on your landing page default page is set to index.php.
Have this FilesMatch with negative lookahead to avoid index.php from authentication:
<FilesMatch "^(?!index\.php$).+?\.php$">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
ShibRequestSetting redirectToSSL 443
</FilesMatch>