Topics Map > Campus Services > NetID Login Service
NetID Login Service and Wisconsin Federation Attribute Information
Introduction
What is an SP, IdP and Attribute?
-
Service Provider (SP) - An SP is a web service that provides services/resources to a user that has been authorized to use it
-
Identity Provider (IdP) - An IdP acts as a data source for user information and acts as an authenticator to validate users before they can access the SP
-
SAML Attribute - An Attribute is a means for delivering information to the Service Provider about the authenticated user after logging into the application/resource
Obtaining attribute-map.xml
-
This document provides details on how to point the AttributeExtractor to login.wisc.edu/metadata/attribute-map.xml
-
It is recommended that your application pull in attribute-map.xml to ensure that any updates that are made to it will be passed to your application. For more information please see NetID Login Service - Manual Configuration (General)
NetID Login Service Attribute Information
The default attribute release consists of the attributes that are released to the Service Provider without any form of data request
-
uid
-
User's NetID
-
ePPN (eduPersonPrincipalName)
-
Appears as a scoped username
-
The identifier is the person's login name or userID (uid) followed by a namespace.
-
The domain that comes after the @ sign defines a namespace (scope) which provides a uniqueness for the identifier
-
Example: bbadger@wisc.edu
-
wiscEduPVI
-
Another unique identifier attribute
-
wiscEduPrivacyFlag
-
This attribute indicates if the person's educational data is protected by the FERPA Policy
-
eduPersonTargetedID
-
A unique ID that identifies a person while preserving their privacy
-
This value is unique per Service Provider
-
Service Providers who want to request additional attributes besides the ones that are released by default need to fill out an Identity Data Integration (IDI) - Request.
-
A list of data elements that are approved for Authorized Applications are described in Identity Data Integration - APPROVED ATTRIBUTES FOR RELEASE TO APPLICATIONS.
-
Once submitted, the request will go through the DoIT Middleware group who will help Service Providers approve and deliver the requested attributes.
A Quick Note - Authorization vs Authentication
-
Authentication - The act of identifying ones self by providing some sort of identification data, usually a username and password combination.
-
Authorization - The act of specifying what rights or access level a user has to a resource once authenticated.
-
For a quick note on appropriate NetID use standards see: UW-Madison - CIO - NetID Appropriate Use Standards.
How Service Providers can restrict access to a Manifest group
-
Service Providers can consume Manifest groups in order to only allow group members who are authorized to use the protected application once the end-user authenticates successfully.
-
This is accomplished by the Manifest group being configured to use the SP's EntityID. See Manifest - Manage SAML2 EntityIDs for more information.
-
End-user attempts to authenticate to a resource behind shibboleth.
-
Once an end-user authenticates to a resource, Manifest delivers information via a shibboleth attribute known as "isMemberOf" to make sure end-user is authorized to access the resource.
-
To configure "isMemberOf", it must be added to the Service Provider's attribute-map.xml.
-
The following should be added to the attribute-map.xml which is usually located in the same folder as the Shibboleth2.xml.
-
In order to enforce the "isMemberOf" attribute, the Service Provider must include directives in either of the following files depending on what web server software the Service Provider is using
-
Shibboleth2.xml (IIS or Apache)
-
Apache configuration files/htcaccess (Apache)
-
The Service Provider should now only allow users who are authorized to access the application/resources to do so.
-
See Manifest - Integrating with NetID Login Service for further and more detailed instructions.
Wisconsin Federation Attribute Information
-
Minimal Attribute Bundle
-
Name Identifier: SAML2 Transient NameID
-
User Attribute: eduPersonScopedAffiliation
-
Additional bundles found at InCommon - Default Attribute Release.
-
Service Providers who want to request additional attributes besides the ones that are released by default need to fill out an Identity Data Integration (IDI) - Request.
-
Once submitted, the request will go through the DoIT Middleware group who will help Service Providers approve and deliver the requested attributes.