Manifest - Integrating with NetID Login Service

This document outlines the different ways that application administrators can connect with their Manifest groups, through the NetID Login Service. This document is intended for system administrators and assumes that a functional Shibboleth Service Provider has been configured. For details on how to configure a Shibboleth Service Provider, see NETID LOGIN SERVICE - GETTING STARTED.

After a user authenticates with their NetID and password, Manifest can deliver group information through a Shibboleth attribute called "isMemberOf". Only groups that have been configured with your application's SAML2 Entity ID will be delivered. In this way, we ensure that your groups are only available for your applications to consume.


Locate Your Application's SAML2 Entity ID

The SAML2 Entity ID is the unique identifier for your service provider which is located in the shibboleth2.xml configiuration file on your application's host. Common locations are found below:

Windows:
C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
Linux:
/etc/shibboleth/shibboleth2.xml

Once you have located the shibboleth2.xml file, open it in your preferred editor and find the entityID attribute in the <ApplicationDefaults> tag. If you have specified an <ApplicationOverride> tag in your XML file, use the value located there instead.

Examples:
<ApplicationDefaults [...] id="myapp.wisc.edu" entityID="https://myapp.wisc.edu/shibboleth">
<ApplicationOverride [...] id="myapp.wisc.edu" entityID="https://myapp.wisc.edu/shibboleth">

Now that you have located your SAML2 Entity ID, copy it into your Manifest group(s) using the instructions outlined in Manifest - Manage SAML2 EntityIDs. Note that Entity IDs are case sensitive.


Configure Shibboleth for the "isMemberOf" Attribute

In order for your application to use the "isMemberOf" attribute, it must be part of your Shibboleth Service Provider's attribute map. If you have not configured your Service Provider to pull attributes from login.wisc.edu/metadata/attribute-map.xml, you must edit your attribute-map.xml file manually. This file should be located in the same folder as shibboleth2.xml. The following should be added to attribute-map.xml:

<!--  Member Of  -->
<Attribute name="urn:mace:dir:attribute-def:isMemberOf" id="isMemberOf"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>

Authorization Using Manifest Groups (IIS)

Shibboleth2.xml Directives

Once you have configured Manifest and your Shibboleth Service Provider, you will be ready to utilize the "isMemberOf" attribute for authorization decisions. A typical means of doing this is via the <RequestMapper> tag in your shibboleth2.xml file. A basic example is provided below; if you would like additional assistance with authorization decisions, please contact manifest@doit.wisc.edu.

<RequestMapper type="Native">
   <RequestMap applicationId="default">
      <Host name="myapp.wisc.edu" applicationId="myapp.wisc.edu" authType="shibboleth" requireSession="true" redirectToSSL="443">
         <Path name="private" requireSession="true">
            <AccessControl>
               <Rule require="isMemberOf">uw:domain:myapp.wisc.edu:private_users</Rule>
            </AccessControl>
         </Path>
      </Host>
   </RequestMap>
</RequestMapper>
	

The example above restricts access to myapp.wisc.edu/private to members of the group uw:domain:myapp.wisc.edu:private_users (note that this is the Manifest Group ID Path).


Configuration File Directives

Alternate Apache 2.2 and below Configuration

Apache users can take advantage of the "require" directive to enforce group restrictions. This can be done in the Apache configuration. An example Apache config is provided below.

<Location "/myApp">
	AuthType shibboleth
	ShibRequestSetting requireSession 1
	ShibUseHeaders On
	ShibRequestSetting applicationID "myhost.wisc.edu/myApp"
	Require isMemberOf uw:domain:dept:myapp:mygroup
</Location>

Apache 2.4 Configuration

For Apache 2.4 and above the syntax to restrict access to a Manifest group changes: see below. This can be done in the Apache configuration. An example Apache config is provided below.

<Location "/myApp">
	AuthType shibboleth
	ShibRequestSetting requireSession 1
	ShibUseHeaders On
	ShibRequestSetting applicationID "myhost.wisc.edu/myApp"
	Require shib-attr isMemberOf uw:domain:dept:myapp:mygroup
</Location>

.htaccess Directives

.htaccess files provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular directory, and the directives apply to that directory, and all subdirectories thereof. Because of this, the <Location> directive is not used. An example is provided below

Apache 2.2 and below Directives


AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
ShibRequestSetting applicationID "myhost.wisc.edu/myApp"
require isMemberOf uw:domain:dept:myapp:mygroup

Apache 2.4 Directives


AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
ShibRequestSetting applicationID "myhost.wisc.edu/myApp"
require shib-attr isMemberOf uw:domain:dept:myapp:mygroup