Summary: In some situations it is useful to authenticate user sessions based on location (meaning network address) instead of the more usual credentials (e.g. username and password). An Apache module, mod_auth_location, is available for this purpose.
Most modern application sign-on scenarios operate via credentials associated with and provided by a user: a username and password, Kerberos ticket, X.509 certificate, etc. Use of such credentials permits a user to sign on to a system or service regardless of where the user happens to be. Many institutional systems have worked hard to eliminate the practice of basing access based on location (meaning client machine network address, usually), for various reasons: lack of personal accountability, disconnect with policy, etc.
In one use case, access based on location is exactly what policy calls for. Traditionally licenses for use of physical library materials have granted access to members of the institution, or any others physically present in the library. As access has moved online it is necessary to continue to support this access policy. Terminals (kiosks) are placed in the library to support both institutional user and library walk-in access.
Many remote vendor-provided licensed resources have had access control set up by location. Typically the licensee institution provides the licensor with its network address ranges, and resources may be accessed from machines in those ranges. Walk-in user access fits in easily with this method. As resources move to using user authentication for access, steps must be taken to preserve walk-in user access. There are a variety of approaches to this, complete discussion of which is out of scope in this document.
From the resource provider point of view, especially for new resources which have never used location-based access, configuring resources for location-based access just to deal with walk-in users is onerous. It is desirable to hide this complexity from the resource provider, and instead handle location-based access as an authentication mechanism at the identity provider (ie the licensee institution).
mod_auth_location from the University of Washington is an extension to the Apache httpd web server for this purpose. It can be configured ...
In an environment using the SAML web browser signon profile (as supported by the Shibboleth system among many other implementations) this permits a location-based walk-in user to appear to a resource provider just as a user-authenticated user does, simplifying resource access setup.