NetID Login Service: Getting Started

The Shibboleth component of the NetID Login Service provides web-based applications a means to: authenticate users with NetIDs, deliver attributes, and take advantage of single sign-on functionality.


The Shibboleth NetID Login Service was designed to give application administrators a reliable way to allow access to their data, without setting up their own authentication and authorization system. This document will guide departmental IT support staff on how to setup their web-based application to use the NetID Login Service. If you are a customer of DoIT Shared Hosting, please contact them for help setting up NetID Login Service for your hosted application.

The NetID Login Service works as follows:

  1. User attempts to access a protected web resource. This resource is also called a Service Provider, or SP.
  2. If user has authenticated recently (within the last 8 hours), they are granted access. Otherwise, they are redirected to the UW Central Authentication site, known as an Identity Provider, or IDP, at
  3. The IdP will prompt for NetID and password. If the user successfully authenticates, they will be redirected to the original resource.

Here is a simplified image showing how the service operates:

IdP SP Simple Diagram


NetID doesn't directly support Authorization however it can assist authorization decisions through attribute delivery. For more details see: NetID Login Service - Authorization and Access Control


UW Madison uses Security Assertion Markup Language ver. 2 (SAML2) to provide the WebISO Identity Provider (IdP) component of the NetID Login Service. SAML2 is an open standard that enables single sign-on (SSO). In addition to providing a method of securing resources by requiring authentication, SAML2 offers rich attribute-exchange. Attribute exchange is the process by which a SAML2 identity provider can collect and transmit user data from backend sources as part of the authentication process.

Supported Applications

Any UW-Madison web application can use NetID Login Service as a means of authentication. All people logging into that application will need to have a UW NetID and password for that ID.

All requests for support of NetID Login Service applications are made through the DoIT help desk by one of the methods described here: This is necessary to track your issue and to route the support request to the appropriate member of the NetID Login Service Team.

When the issue is related to the web application itself and not related to NetID Login Service, support will be provided by the group that handles support requests for the web application, not by the NetID Login Service Team.

Information you will need before you begin installation

Software needed for SP installation should be retrieved from Internet2's software repository for Shibboleth:

  • Host Information
    • Operating System
      • Windows Server (2012 R2, 2015)
      • Linux (RHEL, CentOS, Ubuntu)
      • Unix (Solaris)
    • Web Server
      • Apache
      • IIS (SiteID of application)
      • Sun
  • Contact Information
    • Full Name
    • Type of Contact (Admin, Tech, or Support)
    • Email of Contact (Email list preferred)

Operating System Specific Installation Instructions


Installing Shibboleth SP on Windows


Installing Shibboleth SP on Linux


Installing Shibboleth SP on Solaris


After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.



The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies

Installing Signing Certificate

Retrieve Signing Certificate for the NetID Login Service at this address signing certificate and place into Shibboleth configuration directory based on your shibboleth2.xml. The default is the same location as your shibboleth2.xml configuration file.

Web Platform Specific Configuration Instructions

Now that you have the Shibboleth daemon and your shibboleth2.xml configuration file installed and configured you're ready to integrate Shibboleth to work with your web application. Please click on the appropriate link for your web platform and configure your platform and Shibboleth install accordingly.


Integrating Shibboleth SP for Apache


Integrating Shibboleth SP for IIS


Integrating Shibboleth SP for Sun

Service Provider Activation

Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location ( for your application to NetID Login Service email with your preferred contact for the SP.

See Also:

Keywords:netid login service webiso iso sso saml2 shib shibboleth   Doc ID:19750
Owner:Ryan L.Group:Access Management Services
Created:2011-08-15 14:16 CDTUpdated:2016-09-13 12:27 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  4   1