Manifest - Integrating with NetID Login Service
This document outlines the different ways that application administrators can connect with their Manifest groups, through the NetID Login Service. This document is intended for system administrators and assumes that a functional Shibboleth Service Provider has been configured. For details on how to configure a Shibboleth Service Provider, see NetID Login Service: WebISO - Installation.
After a user authenticates with their NetID and password, Manifest can deliver group information through a Shibboleth attribute called "isMemberOf". Only groups that have been configured with your application's SAML2 Entity ID will be delivered. In this way, we ensure that your groups are only available for your applications to consume.
Locate Your Application's SAML2 Entity ID
The SAML2 Entity ID is the unique identifier for your service provider which is located in the shibboleth2.xml configiuration file on your application's host. Common locations are found below:
Once you have located the shibboleth2.xml file, open it in your preferred editor and find the entityID attribute in the
<ApplicationDefaults> tag. If you have specified an
<ApplicationOverride> tag in your XML file, use the value located there instead.
<ApplicationDefaults [...] id="myapp.wisc.edu" entityID="https://myapp.wisc.edu/shibboleth">
<ApplicationOverride [...] id="myapp.wisc.edu" entityID="https://myapp.wisc.edu/shibboleth">
Now that you have located your SAML2 Entity ID, copy it into your Manifest group(s) using the instructions outlined in Manifest - Manage SAML2 EntityIDs. Note that Entity IDs are case sensitive.
Configure Shibboleth for the "isMemberOf" Attribute
In order for your application to use the "isMemberOf" attribute, it must be part of your Shibboleth Service Provider's attribute map. If you have not configured your Service Provider to pull attributes from login.wisc.edu/metadata/attribute-map.xml, you must edit your attribute-map.xml file manually. This file should be located in the same folder as shibboleth2.xml. The following should be added to attribute-map.xml:
<!-- Member Of --> <Attribute name="urn:mace:dir:attribute-def:isMemberOf" id="isMemberOf"/> <Attribute name="urn:oid:188.8.131.52.4.1.59184.108.40.206.1" id="isMemberOf"/>
Authorization Using Manifest Groups (IIS/Apache)
Once you have configured Manifest and your Shibboleth Service Provider, you will be ready to utilize the "isMemberOf" attribute for authorization decisions. A typical means of doing this is via the
<RequestMapper> tag in your shibboleth2.xml file. A basic example is provided below; if you would like additional assistance with authorization decisions, please contact email@example.com.
<RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="myapp.wisc.edu" applicationId="myapp.wisc.edu" authType="shibboleth" requireSession="true" redirectToSSL="443"> <Path name="private" requireSession="true"> <AccessControl> <Rule require="isMemberOf">uw:domain:myapp.wisc.edu:private_users</Rule> </AccessControl> </Path> </Host> </RequestMap> </RequestMapper>
The example above restricts access to myapp.wisc.edu/private to members of the group uw:domain:myapp.wisc.edu:private_users (note that this is the Manifest Group ID Path).
Alternate Apache 2.x Configuration
Apache users can take advantage of the "require" directive to enforce group restrictions. This can be done in the Apache configuration or via htaccess files. An example Apache config is provided below.
<Location "/myApp"> AuthType shibboleth ShibRequireSession On ShibUseHeaders On ShibRequestSetting applicationID "myhost.wisc.edu/myApp" require isMemberOf uw:domain:dept:myapp:mygroup </Location>
.htaccess files provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular directory, and the directives apply to that directory, and all subdirectories thereof. Because of this, the <Location> directive is not used. An example is provided below
AuthType shibboleth ShibRequireSession On ShibUseHeaders On ShibRequestSetting applicationID "myhost.wisc.edu/myApp" require isMemberOf uw:domain:dept:myapp:mygroup