Frequently asked questions regarding NetID Login (a/k/a WebISO)
The NetID Login Service is a WebISO (Web Initial Sign-On), which is a technology that allows a large community of applications to use a central login credential (NetID & password) to authenticate users while simultaneously reducing the risk of account compromise. This is accomplished through the use of a central login service, and application modules that redirect to and from the central login service.
If people are having problems logging into NetID Login Service(WebISO)-protected applications, these instructions will help to determine if the problem is with the NetID login servers or with the application:
Try logging in to both of these servers (you can ignore any SSL certificate mismatch warnings presented by your browser):
Clicking each link should bring up a browser window prompting you to log in with your NetID and then displaying "Hello World" after a successful login. This indicates that the login server is functioning properly.
If the test succeeds for both links, the NetID login servers are functioning correctly and the problem is with the application (either in their local WebISO configuration or their Authorization).
If the test fails for either link, one of the login servers is down.
A current listing of browsers can be found in NetID - Recommended Browsers.
It can sometimes be hard to tell if you are logged out or not. The best way to ensure that you are completely logged out is to close your web browser and clear your cookies (see NetID Login Service - Logout Procedure).
The previous user did not log out of their NetID session. If a NetID session simply expires or an application requests
re-authentication (such as My UW-Madison), you will see the NetID of the previously (or currently) logged-in person.
If you see someone else's NetID in the login box, the best thing to do is completely close the browser (all windows) and clear your cookies (see NetID Login Service - Logout Procedure).
When you use an icon on your desktop (or quick-launch bar), a new browser session is opened. This is an intentional security feature. If you open a new window via CTRL-N or File->New->Window, and use a bookmark, it will use the same session and multiple logins will not be required.
Shibboleth supports Apache and IIS web servers. For complete details, see Shibboleth's documentation.
Minimally, you need:
There are a few ways to provide people with a NetID, depending on the situation.
For Shibboleth to provide secure authentication, you need to make sure your application server's Shibboleth SP communicates with the login server over an encrypted connection, so that user-specific data is not passed over the internet in plain text.
For more information, see NetID Login Service - Importance of Secure Cookies.
Single Logout in the context of the UW NetID Login Service would be the action of clicking a Logout link or button that would cause the user to be logged out of all NetID Login-protected applications at once. Currently, Single Logout is not possible in the UW NetID Login Service. There are many reasons for this, and if you're interested in details this document provides a good overview.
The only complete NetID logout is closing the browser and clearing all
session cookies, which is the end user's responsibility. End users can review instructions on clearing
cookies and making sure their browser is safely configured here: NetID Login Service - Logout Procedure.
Application developers can use the central NetID logout page (https://login.wisc.edu/logout) as a way of requiring users to sign back in with their NetID in order to:
In Shibboleth, redirection to the central logout page can be done by using the Logout property of the Shibboleth handler to perform a Local Logout and attaching a return value that redirects the user to the UW NetID Login Service logout page.
Here's a sample logout link for the application example.dept.wisc.edu:
It is not necessary to coordinate a server migration with the NetID Login Service team. By following these steps, Shibboleth will continue to function seamlessly when you cut over to the new server.
These steps should result in the NetID Login Service continuing to function immediately after the server migration. If there is a need to change anything in the Metadata, for example you are switching to a new sp-key.pem and sp-cert.pem, you will need to contact the the NetID Login Service team to upload the updated Metadata file.
Configuring Load Balanced servers for Shibboleth is very similar to a standard SP configuration, with a few additional things to be aware of:
You can choose to use the Production, QA, or Test environment of the NetID Login Service for your application. Production and QA both use "real"/production NetIDs and passwords for authentication, while Test uses special test ("ITE") credentials that most users do not have by default. The test environment should only be used if it is absolutely necessary to integrate with ITE data or other ITE applications, otherwise QA should be used for the vast majority of non-production applications.
When you contact the NetID Login Service team to have your application authorized as an SP, make sure to let them know what environment you will be using. If you are still not sure which to use, contact email@example.com for assistance.
The IDP Metadata is available at the following URLs:
Important: If you are an application manager, please indicate that fact in your communication and include the text of the error and the FQDN of the server.
You can also call the DoIT Help Desk at 264-4357 or open a case online at the Helpdesk Page (once there, click on "Create a New Case" from the left menu options).