NetID Login Service: Getting Started
The Shibboleth component of the NetID Login Service provides web-based applications a means to: authenticate users with NetIDs, deliver attributes, and take advantage of single sign-on functionality.
The Shibboleth NetID Login Service was designed to give application administrators a reliable way to allow access to their data, without setting up their own authentication and authorization system. This document will guide departmental IT support staff on how to setup their web-based application to use the NetID Login Service. If you are a customer of DoIT Shared Hosting, please contact them for help setting up NetID Login Service for your hosted application.
The NetID Login Service works as follows:
- User attempts to access a protected web resource. This resource is also called a Service Provider, or SP.
- If user has authenticated recently (within the last 8 hours), they are granted access. Otherwise, they are redirected to the UW Central Authentication site, known as an Identity Provider, or IDP, at https://login.wisc.edu.
- The IdP will prompt for NetID and password. If the user successfully authenticates, they will be redirected to the original resource.
NetID doesn't directly support Authorization however it can assist authorization decisions through attribute delivery. For more details see: NetID Login Service - Authorization and Access Control
UW Madison uses Security Assertion Markup Language ver. 2 (SAML2) to provide the WebISO Identity Provider (IdP) component of the NetID Login Service. SAML2 is an open standard that enables single sign-on (SSO). In addition to providing a method of securing resources by requiring authentication, SAML2 offers rich attribute-exchange. Attribute exchange is the process by which a SAML2 identity provider can collect and transmit user data from backend sources as part of the authentication process.
Any UW-Madison web application can use NetID Login Service as a means of authentication. All people logging into that application will need to have a UW NetID and password for that ID.
All requests for support of NetID Login Service applications are made through the DoIT help desk by one of the methods described here: http://kb.wisc.edu/helpdesk/. This is necessary to track your issue and to route the support request to the appropriate member of the NetID Login Service Team.
When the issue is related to the web application itself and not related to NetID Login Service, support will be provided by the group that handles support requests for the web application, not by the NetID Login Service Team.
Information you will need before you begin installation
- Host Information
- Operating System
- Windows Server (2012 R2, 2015)
- Linux (RHEL, CentOS, Ubuntu)
- Unix (Solaris)
- Web Server
- IIS (SiteID of application)
- Contact Information
- Full Name
- Type of Contact (Admin, Tech, or Support)
- Email of Contact (Email list preferred)
Operating System Specific Shibboleth Installation Instructions
There are 3 environments for NetID Login Service:
- Production: EntityID https://login.wisc.edu/idp/shibboleth
Production is the primary environment for NetID Login Service. It should be used for all production applications.
- QA: EntityID https://loginqa.wisc.edu/idp/shibboleth
QA should be used for all non-production applications that do not require ITE integration. Like the Production environment, QA uses production NetID credentials.
- Test ("ITE"): EntityID https://logintest.wisc.edu/idp/shibboleth
Test should be used by very few applications, because only test/ITE NetIDs will be able to authenticate. Only SPs that require integration with ITE data or other ITE applications should use the test environment.
In addition to the NetID Login Service, there is the UW System Wisconsin Federation.
- Wisconsin Federation
Integration with the Wisconsin Federation WAYF is for approved UW System applications only. All WiscFed SP authorization requests must first be approved. To request Wisconsin Federation integration for a UW System application, submit an IAA data authorization request.
Generate Shibboleth2.xml File
After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.
Automatic Shibboleth2.xml Generator
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
- NetID Login Service - Manual Configuration (General)
- NetID Login Service - Manual Configuration (Advanced)
Once generated, save this file in the Shibboleth installation directory. By default this is the same location as your shibboleth2.xml configuration file (\etc\shibboleth or C:\opt\shibboleth-sp\etc\shibboleth)
The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies
Download Metadata Signing Certificate
Save this file in the Shibboleth installation directory. By default this is the same location as your shibboleth2.xml configuration file (\etc\shibboleth or C:\opt\shibboleth-sp\etc\shibboleth)
UW-Madison and UW-Madison Federation (eg. PubCookie Replacement)
- Production: https://login.wisc.edu/metadata/login.wisc.edu-signing.pem
- QA: https://loginqa.wisc.edu/metadata/loginqa.wisc.edu-signing.pem
- Test ("ITE"): https://logintest.wisc.edu/metadata/logintest.wisc.edu-signing.pem
Wisconsin Federation (eg. Approved IDI Request)
- Download the Signing Certificate
- Or Copy&Paste this address into your address bar: https://wayf.wisconsin.edu/metadata/wayf.wisconsin.edu-signing.pem
Web Server Specific Configuration Instructions
Now that you have the Shibboleth daemon and your shibboleth2.xml configuration file installed and configured you're ready to integrate Shibboleth to work with your web application. Please click on the appropriate link for your web platform and configure your platform and Shibboleth install accordingly.
Service Provider Activation
Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location (https://domain.wisc.edu/Shibboleth.sso/Metadata) for your application to NetID Login Service email with your preferred contact for the SP.
Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.