NetID Login Service and Wisconsin Federation Attribute Information

This document will go over some information regarding common attribute questions and processes for both NetID Login and Wisconsin Federation.

Introduction

What is an SP, IdP and Attribute?

  • Service Provider (SP) - An SP is a web service that provides services/resources to a user that has been authorized to use it

  • Identity Provider (IdP) - An IdP acts as a data source for user information and acts as an authenticator to validate users before they can access the SP

  • SAML Attribute - An Attribute is a means for delivering information to the Service Provider about the authenticated user after logging into the application/resource

Obtaining attribute-map.xml

  • This document provides details on how to point the AttributeExtractor to login.wisc.edu/metadata/attribute-map.xml

  • It is recommended that your application pull in attribute-map.xml to ensure that any updates that are made to it will be passed to your application. For more information please see NetID Login Service - Manual Configuration (General)

NetID Login Service Attribute Information

The default attribute release consists of the attributes that are released to the Service Provider without any form of data request

  • uid

    • User's NetID

  • ePPN (eduPersonPrincipalName)

    • Appears as a scoped username

    • The identifier is the person's login name or userID (uid) followed by a namespace.

    • The domain that comes after the @ sign defines a namespace (scope) which provides a uniqueness for the identifier

      • Example: bbadger@wisc.edu

  • wiscEduPVI

    • Another unique identifier attribute

  • wiscEduPrivacyFlag

    • This attribute indicates if the person's educational data is protected by the FERPA Policy

  • eduPersonTargetedID

    • A unique ID that identifies a person while preserving their privacy

    • This value is unique per Service Provider

A Quick Note - Authorization vs Authentication

  • Authentication - The act of identifying ones self by providing some sort of identification data, usually a username and password combination.

  • Authorization - The act of specifying what rights or access level a user has to a resource once authenticated.

  • For a quick note on appropriate NetID use standards see: UW-Madison - CIO - NetID Appropriate Use Standards.

How Service Providers can restrict access to a Manifest group

  • Service Providers can consume Manifest groups in order to only allow group members who are authorized to use the protected application once the end-user authenticates successfully.

  • This is accomplished by the Manifest group being configured to use the SP's EntityID. See Manifest - Manage SAML2 EntityIDs for more information.

  • End-user attempts to authenticate to a resource behind shibboleth.

  • Once an end-user authenticates to a resource, Manifest delivers information via a shibboleth attribute known as "isMemberOf" to make sure end-user is authorized to access the resource.

    • To configure "isMemberOf", it must be added to the Service Provider's attribute-map.xml.

    • The following should be added to the attribute-map.xml which is usually located in the same folder as the Shibboleth2.xml.

    • <!-- Member Of --> <attribute name="urn:mace:dir:attribute-def:isMemberOf" id="isMemberOf"/> <attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
  • In order to enforce the "isMemberOf" attribute, the Service Provider must include directives in either of the following files depending on what web server software the Service Provider is using

    • Shibboleth2.xml (IIS or Apache)

    • Apache configuration files/htcaccess (Apache)

  • The Service Provider should now only allow users who are authorized to access the application/resources to do so.

  • See Manifest - Integrating with NetID Login Service for further and more detailed instructions.

Wisconsin Federation Attribute Information

  • Service Providers who want to request additional attributes besides the ones that are released by default need to fill out an Identity Data Integration (IDI) - Request.

  • Once submitted, the request will go through the DoIT Middleware group who will help Service Providers approve and deliver the requested attributes.