NetID Login Service and Wisconsin Federation Attribute Information

This document will go over some information regarding common attribute questions and processes for both NetID Login and Wisconsin Federation.

Introduction

What is an SP, IdP and Attribute?

Service Provider (SP) - An SP is a web service that provides services/resources to a user that has been authorized to use it
Identity Provider (IdP) - An IdP acts as a data source for user information and acts as an authenticator to validate users before they can access the SP
SAML Attribute - An Attribute is a means for delivering information to the Service Provider about the authenticated user after logging into the application/resource

Obtaining attribute-map.xml

This document provides details on how to point the AttributeExtractor to login.wisc.edu/metadata/attribute-map.xml
It is recommended that your application pull in attribute-map.xml to ensure that any updates that are made to it will be passed to your application. For more information please see NetID Login Service - Manual Configuration (General)

NetID Login Service Attribute Information

The default attribute release consists of the attributes that are released to the Service Provider without any form of data request

User's NetID

ePPN (eduPersonPrincipalName)

Appears as a scoped username
The identifier is the person's login name or userID (uid) followed by a namespace.
The domain that comes after the @ sign defines a namespace (scope) which provides a uniqueness for the identifier

Example: bbadger@wisc.edu

wiscEduPVI

Another unique identifier attribute

wiscEduPrivacyFlag

This attribute indicates if the person's educational data is protected by the FERPA Policy

eduPersonTargetedID

A unique ID that identifies a person while preserving their privacy
This value is unique per Service Provider

Service Providers who want to request additional attributes besides the ones that are released by default need to fill out an Identity Data Integration (IDI) - Request.
A list of data elements that are approved for Authorized Applications are described in Identity Data Integration - APPROVED ATTRIBUTES FOR RELEASE TO APPLICATIONS.
Once submitted, the request will go through the DoIT Middleware group who will help Service Providers approve and deliver the requested attributes.

A Quick Note - Authorization vs Authentication

Authentication - The act of identifying ones self by providing some sort of identification data, usually a username and password combination.
Authorization - The act of specifying what rights or access level a user has to a resource once authenticated.
For a quick note on appropriate NetID use standards see: UW-Madison - CIO - NetID Appropriate Use Standards.

How Service Providers can restrict access to a Manifest group

Service Providers can consume Manifest groups in order to only allow group members who are authorized to use the protected application once the end-user authenticates successfully.
This is accomplished by the Manifest group being configured to use the SP's EntityID. See Manifest - Manage SAML2 EntityIDs for more information.
End-user attempts to authenticate to a resource behind shibboleth.
Once an end-user authenticates to a resource, Manifest delivers information via a shibboleth attribute known as "isMemberOf" to make sure end-user is authorized to access the resource.

To configure "isMemberOf", it must be added to the Service Provider's attribute-map.xml.
The following should be added to the attribute-map.xml which is usually located in the same folder as the Shibboleth2.xml.

<attribute name="urn:mace:dir:attribute-def:isMemberOf" id="isMemberOf"/> <attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>

In order to enforce the "isMemberOf" attribute, the Service Provider must include directives in either of the following files depending on what web server software the Service Provider is using

Shibboleth2.xml (IIS or Apache)
Apache configuration files/htcaccess (Apache)

The Service Provider should now only allow users who are authorized to access the application/resources to do so.
See Manifest - Integrating with NetID Login Service for further and more detailed instructions.

Wisconsin Federation Attribute Information

Minimal Attribute Bundle

Name Identifier: SAML2 Transient NameID
User Attribute: eduPersonScopedAffiliation

Additional bundles found at InCommon - Default Attribute Release.

Service Providers who want to request additional attributes besides the ones that are released by default need to fill out an Identity Data Integration (IDI) - Request.
Once submitted, the request will go through the DoIT Middleware group who will help Service Providers approve and deliver the requested attributes.

Keywords:	Attribute, SP, IdP, SAML2, NetID, Wisconsin, Federation, InCommon, data, default, identity, user, net, id Suggest keywords	Doc ID:	76827
Owner:	MST Support .	Group:	Identity and Access Management
Created:	2017-09-25 11:32 CDT	Updated:	2022-05-25 15:15 CDT
Sites:	DoIT Help Desk, Identity and Access Management
Feedback:	0 0 Comment Suggest a new document