One additional hurdle that I had to overcome was an obscure Apache problem that caused the “AuthType shibboleth” directive in my .htaccess to be ignored, because (in effect) the relevant parts of Apache processing have to happen before the .htaccess file can be located. The solution was to move the “AuthType shibboleth” directive from my .htaccess file to a corresponding <Directory> or <Location> block in the main Apache configuration file (which used “AuthType Ucam-WebAuth” for other parts of the server). Maybe that insight helps someone here as well?
