NetID Login Service: Getting Started

The Shibboleth component of the NetID Login Service provides web-based applications a means to: authenticate users with NetIDs, deliver attributes, and take advantage of single sign-on functionality.


Overview

The Shibboleth NetID Login Service was designed to give application administrators a reliable way to allow access to their data, without setting up their own authentication and authorization system. This document will guide departmental IT support staff on how to setup their web-based application to use the NetID Login Service. If you are a customer of DoIT Shared Hosting, please contact them for help setting up NetID Login Service for your hosted application.

The NetID Login Service works as follows:

  1. User attempts to access a protected web resource. This resource is also called a Service Provider, or SP.
  2. If user has authenticated recently (within the last 8 hours), they are granted access. Otherwise, they are redirected to the UW Central Authentication site, known as an Identity Provider, or IDP, at https://login.wisc.edu.
  3. The IdP will prompt for NetID and password. If the user successfully authenticates, they will be redirected to the original resource.


Authorization

NetID doesn't directly support Authorization however it can assist authorization decisions through attribute delivery. For more details see: NetID Login Service - Authorization and Access Control


Technology

UW Madison uses Security Assertion Markup Language ver. 2 (SAML2) to provide the WebISO Identity Provider (IdP) component of the NetID Login Service. SAML2 is an open standard that enables single sign-on (SSO). In addition to providing a method of securing resources by requiring authentication, SAML2 offers rich attribute-exchange. Attribute exchange is the process by which a SAML2 identity provider can collect and transmit user data from backend sources as part of the authentication process.


Supported Applications

Any UW-Madison web application can use NetID Login Service as a means of authentication. All people logging into that application will need to have a UW NetID and password for that ID.

All requests for support of NetID Login Service applications are made through the DoIT help desk by one of the methods described here: http://kb.wisc.edu/helpdesk/. This is necessary to track your issue and to route the support request to the appropriate member of the NetID Login Service Team.

When the issue is related to the web application itself and not related to NetID Login Service, support will be provided by the group that handles support requests for the web application, not by the NetID Login Service Team.


Information you will need before you begin installation

Software needed for SP installation should be retrieved from Internet2's software repository for Shibboleth:

  • Host Information
    • Operating System
      • Windows Server (2012 R2, 2015)
      • Linux (RHEL, CentOS, Ubuntu)
      • Unix (Solaris)
    • Web Server
      • Apache
      • IIS (SiteID of application)
      • Sun
  • Contact Information
    • Full Name
    • Type of Contact (Admin, Tech, or Support)
    • Email of Contact (Email list preferred)

Operating System Specific Shibboleth Installation Instructions

Windows Server

IIS 7/8

Apache (Windows)

Additional resources for installing Shibboleth on Windows Server

Linux

Apache (Red Hat/CentOS)

Apache (Ubuntu/Debian)

Additional resources for installing Shibboleth on Linux

Solaris

Installing Shibboleth SP on Solaris


IDPs/Environments

There are 3 environments for NetID Login Service:

  • Production: EntityID https://login.wisc.edu/idp/shibboleth

    Production is the primary environment for NetID Login Service. It should be used for all production applications.

  • QA: EntityID https://loginqa.wisc.edu/idp/shibboleth

    QA should be used for all non-production applications that do not require ITE integration. Like the Production environment, QA uses production NetID credentials.

  • Test ("ITE"): EntityID https://logintest.wisc.edu/idp/shibboleth

    Test should be used by very few applications, because only test/ITE NetIDs will be able to authenticate. Only SPs that require integration with ITE data or other ITE applications should use the test environment.

In addition to the NetID Login Service, there is the UW System Wisconsin Federation.

  • Wisconsin Federation

    Integration with the Wisconsin Federation WAYF is for approved UW System applications only. All WiscFed SP authorization requests must first be approved. To request Wisconsin Federation integration for a UW System application, submit an IAA data authorization request.


Generate Shibboleth2.xml File

After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.

Automatic Shibboleth2.xml Generator

Manual


Once generated, save this file in the Shibboleth installation directory. By default this is the same location as your shibboleth2.xml configuration file (\etc\shibboleth or C:\opt\shibboleth-sp\etc\shibboleth)


The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies


Download Metadata Signing Certificate

Save this file in the Shibboleth installation directory. By default this is the same location as your shibboleth2.xml configuration file (\etc\shibboleth or C:\opt\shibboleth-sp\etc\shibboleth)


Web Server Specific Configuration Instructions

Now that you have the Shibboleth daemon and your shibboleth2.xml configuration file installed and configured you're ready to integrate Shibboleth to work with your web application. Please click on the appropriate link for your web platform and configure your platform and Shibboleth install accordingly.

Apache

Integrating Shibboleth SP for Apache

IIS

Integrating Shibboleth SP for IIS

Sun

Integrating Shibboleth SP for Sun


Service Provider Activation

Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location (https://domain.wisc.edu/Shibboleth.sso/Metadata) for your application to NetID Login Service email with your preferred contact for the SP.


Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.

See Also:




Keywords:netid login service webiso iso sso saml2 shib shibboleth   Doc ID:19750
Owner:Ryan L.Group:Access Management Services
Created:2011-08-15 14:16 CDTUpdated:2017-06-02 13:16 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  4   1