NetID Login Service - Getting Started
If you have a service ready to integrate with NetID login, or need support integrating a service not covered in this document, please create an intake request.
Overview
The NetID Login Service SAML2 Identity Provider (which runs on Shibboleth) is UW Madison's central Authentication and Authorization service. Application administrators can integrate their web-based applications with NetID Login Service and not have to set up their own authentication and authorization. In addition to SAML2, NetID Login supports OIDC.
The SAML2 component of the NetID Login Service provides web-based applications a means to authenticate users with their NetIDs, consume attributes belonging to the authenticated user, and take advantage of single sign-on and strong authentication functionality.
This document will guide you on how to set up your web-based application to use the NetID Login Service with a Shibboleth Service Provider.
If you are a customer of DoIT Shared Hosting, please contact them for help setting up NetID Login Service for your hosted application.
The NetID Login Service works as follows:
- User attempts to access a NetID Login protected web application. This resource is called a Service Provider (SP).
- User is redirected to the NetID Login Identity Provider (IdP) at https://login.wisc.edu/.
- The IdP authenticates the user (prompting the user for NetID and password and multifactor, as appropriate). If the user successfully authenticates, they are redirected to the original SP.
1. Installing Shibboleth Service Provider
Windows Server IIS
- Microsoft IIS Web Server
A Web server is required for shibboleth installation as shibboleth is used for web based authentication. For this section, the IIS Web Server is required.
- IIS Management Compatibility
The IIS Management Compatibility is required if you want the Shibboleth Installer to configure IIS for you.
Steps to install IIS Management Compatibility
- Click Start and click Control Panel
- Click Programs
- Click Programs and Features
- Click Turn Windows Features on or off
- Expand the Internet Information Services item
- Expand the Web Management Tools item
- Select the IIS 6 Management Compatibility item
- Click OK
- SSL Enabled for Microsoft IIS
The IIS Website should have an appropriate x509 certificate installed and SSL enabled. Please take a look at the following document provided by Microsoft: How To Set Up an HTTPS Service in IIS
Installation
The installation guide from Shibboleth can be found here: Install on Windows
-
Download the Shibboleth Service Provider installer (.msi file) from the Shibboleth Software Repository
-
Run the installer
- Confirm the dialog to run the software
- Click "Next"
- Accept the license agreement
- Configure the location for the installation (C:\opt\shibboleth-sp\ by default)
- Select Configure IIS7 module
- click "Next", click "Install", click "Finish"
- Click "Yes" to restart the system
Verification
To verify that Shibboleth SP was installed successfully, navigate to Administrative Tools > Services
-
Shibboleth Service Status
- Find the Shibboleth Service
- Verify that the status is the following: 'status:running', 'startup type:automatic', 'logon as:local system'
-
ISAPI Filters
- Open Internet Information Server (IIS) Manager
- Click on the server name and open the ISAPI Filters tab
-
NOTE: If you don't see ISAPI Filter tab,
- Navigate to 'Control Panel > Programs > Turn Windows Features on/off'
- In the tree find 'Internet Information Services > World Wide Web Services > Application Development Features' and make sure the ISAPI Extension and ISAPI Filter options are selected.
-
You should see
- Name = Shibboleth
- Executable = C:\opt\shibboleth-sp\lib64\shibboleth\isapi-shib.dll (for a 64-bit install)
- Executable = C:\opt\shibboleth-sp\lib\shibboleth\isapi-shib.dll (for a 32-bit install)
- If you do not see this, right-click and add 'Name = Shibboleth' and 'Executable = C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll' or 'Executable = C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll' accordingly.
- OPTIONAL: If Shibboleth / IIS has been migrated from another server to a new one check to make sure that the ISAPI filters are in the correct directories. This is a somewhat common issue and can result in redirecting to the wrong location after SSO POST.
Result
The Shibboleth Service Provider should now be installed on the system.
Important Directories:
- C:\opt\shibboleth-sp\etc\shibboleth Configuration directory of Shibboleth. The main configuration file is shibboleth2.xml.
- C:\opt\shibboleth-sp\var\log\shibboleth Log directory where logs are written to. The most important log file is the shibd.log file that should be consulted in case of problems.
- C:\opt\shibboleth-sp\var\run\shibboleth Runtime directory where process ID and socket files are stored.
- C:\opt\shibboleth-sp\var\cache\shibboleth Cache directory where metadata backup and CRL files are stored.
Windows Server Apache
The Shibboleth SP installer will install a set of Apache modules for each major version. It will also install the standalone Shibboleth daemon, shibd. Actual integration with Apache is a simple, but manual, process.
Installing Shibboleth
Download the DoIT Supported version of the .msi Shibboleth SP installer from the Shibboleth download site here.
Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. A default shibd service can also be installed.
Installing Apache
The versions of Apache available from the http://httpd.apache.org/ web site are known to work with the modules that come with the Windows version of Shibboleth, specifically the Apache 2.0 and 2.2 packages that include SSL support.
Other versions might work, but they also might not work. Versions with significantly altered header files, such as IBM's or Oracle's will definitely not work unless you build the Shibboleth module from source.
RHEL or UBI 9 with Apache
- Apache Web Server
A Web server is required for shibboleth installation as shibboleth is used for web based authentication. For this section, the Apache Web Server is required.
The following command should install Apache Web Server:
sudo dnf -y install httpd
Only Apache 2.4 are supported.
- Root Access
You should have the ability to run commands as a user with root privileges.
- SSL Enabled for Apache
The Apache SSL module must be enabled and configured to support HTTPS.
sudo dnf -y install mod_ssl
Recommendations
- NTP
Servers running Shibboleth must have the system time synchronized in order to avoid clock-skew errors. It is therefore recommended to install ntp or use another time synchronization mechanism.
Installation
The installation guide from Shibboleth can be found here: Install on Linux, RPMInstall
-
Download the Shibboleth Service Provider from the repository
- UBI 9 (We can use the RockyLinux 9 package)
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=RockyLinux9
- UBI 9 (We can use the RockyLinux 9 package)
-
Install the repository
sudo dnf -y install shibboleth
-
Start and enable the shibd daemon
sudo systemctl start shibd.service
sudo systemctl enable shibd.service
Verification
-
Shibboleth Check
Execute the following command to check the status of Shibboleth in your system:
sudo shibd -t
Check if the last line of the output is "overall configuration is loadable, check console for non-fatal problems".
If there are any error log entries, please have a look at the problem. If there are any warn log entries it is not problematic but it is recommended to examine the cause of the warnings.
-
Apache Check
Execute the following command to check the status of Apache in your system:
sudo apachectl configtest
The output of this command should be "Syntax OK".
-
mod_shib Check
Restart the web server:
sudo apachectl restart
Then access: https://localhost/Shibboleth.sso/SessionThe web server should return a page that says: "A valid session was not found".
Result
The Shibboleth Service Provider should now be installed on the system.
Important Directories:
- /etc/shibboleth Configuration directory of Shibboleth. The main configuration file is shibboleth2.xml.
- /var/log/shibboleth Log directory where logs are written to. The most important log file is the shibd.log file that should be consulted in case of problems.
- /run/shibboleth Runtime directory where process ID and socket files are stored.
- /var/cache/shibboleth Cache directory where metadata backup and CRL files are stored.
Ubuntu with Apache
- Apache Web Server
A Web server is required for shibboleth installation as shibboleth is used for web based authentication. For this section, the Apache Web Server is required.
The following command should install Apache Web Server:
sudo apt-get install -y apache2
Only Apache 2.4 are supported.
- Root Access
You should have the ability to run commands as a user with root privileges.
- SSL Enabled for Apache
The Apache SSL module must be enabled and configured to support HTTPS. Replace shib-ssl with your website's conf file (e.g. /etc/apache2/sites-available/shib-ssl.conf).
sudo a2enmod ssl && a2ensite shib-ssl
Recommendations
- NTP
Servers running Shibboleth must have the system time synchronized in order to avoid clock-skew errors. It is therefore recommended to install ntp or use another time synchronization mechanism.
sudo apt-get install ntp
Shibboleth Installation
Ubuntu / Debian is not officially supported by Shibboleth, however we can install it with this package: The installation guide from Shibboleth can be found here: Install on Linux
Here are the standard non-Debian installation docs on linux, for reference: Install on Linux
- Install Shibboleth
sudo apt-get install -y libapache2-mod-shib
- Enable shibd to activate on startup
sudo chmod +x /etc/init.d/shibd
sudo update-rc.d shibd defaults - Start the Shibboleth daemon and examine the logs for any errors
sudo service shibd start
grep E 'CRIT|ERROR' /var/log/shibboleth/shibd.log - You may see the following item in the shibd log, you can ignore it for now
CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable
- You may also see the following error indicating that your Shibboleth key pair is missing
ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')
If you encounter this error you can generate a key-pair for Shibboleth with the following command
CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem)
sudo openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj "/CN=$HOSTNAME" -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem
Then restart the Shibboleth service
sudo service shibd restart
Verification
-
Shibboleth Check
Execute the following command to check the status of Shibboleth in your system:
sudo shibd -t
Check if the last line of the output is "overall configuration is loadable, check console for non-fatal problems".
If there are any error log entries, please have a look at the problem. If there are any warn log entries it is not problematic but it is recommended to examine the cause of the warnings.
-
Apache Check
Execute the following command to check the status of Apache in your system:
sudo apachectl configtest
The output of this command should be "Syntax OK".
Result
The Shibboleth Service Provider should now be installed on the system.
Open a web browser and point to your site with the following Shibboleth path:
https://www.yoursite.wisc.edu/Shibboleth.sso/Session
Verify that you see this message:
A valid session was not found.
Important Directories:
- /etc/shibboleth Configuration directory of Shibboleth. The main configuration file is shibboleth2.xml.
- /var/log/shibboleth Log directory where logs are written to. The most important log file is the shibd.log file that should be consulted in case of problems.
- /var/cache/shibboleth Cache directory where metadata backup and CRL files are stored.
2. Configuring Shibboleth Service Provider
Windows Server IIS
Prerequisites
- Shibboleth Service Provider is installed.
- SSL enabled for IIS
Requirements
- IIS Management Compatibility
The IIS Management Compatibility is required if you want the Shibboleth Installer to configure IIS for you.
Shibboleth Service Provider Configuration File - shibboleth2.xml
After installing the Shibboleth SP, you will need to configure the shibboleth2.xml file correctly to work with the NetID Login Service.
Our shibboleth2.xml generator (SPGEN) should provide you the basic configuration file needed to correctly work with the NetID Login Service. Add this file to 'C:\opt\shibboleth-sp\etc\shibboleth'.
shibboleth2.xml generator
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
Example and Explanation of Shibboleth2.xml file
UW Madison application administrators: NetID Login Service - Shibboleth Service Provider Configuration File (shibboleth2.xml)
Wisconsin federation application administrators: Wisconsin Federation Login Service - Shibboleth Service Provider Configuration File (shibboleth2.xml)
Download Metadata Signing Certificate
The Metadata Signing Certificate will be used to verify that the files that you load from the NetID Login Service have not been tampered with.
Save this file in the Shibboleth installation directory C:\opt\shibboleth-sp\etc\shibboleth
- Metadata Signing Certificate for UW-Madison:
- Metadata Signing Certificate for Wisconsin Federation:
Windows Server Apache
Basic Configuration
Edit httpd.conf: Shibboleth bundles configuration directives in the files
\etc\shibboleth\apache.config
,\etc\shibboleth\apache2.config
, and\etc\shibboleth\apache22.config
which can be added to httpd.conf using the Include
command. Be wary of placing the configuration in the wrong VirtualHost
.
Other considerations:
- The
UseCanonicalName
directive should be set toOn
. - Ensure that the
ServerName
directive is properly set, and that Apache is being started with SSL enabled. - The primary configuration file for the module and the Shibboleth daemon, shibd, will be located at \etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software). shibd creates its own log at \var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
- Apache also will need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to \var\log\shibboleth to create the native.log file.
Download Metadata Signing Certificate
Save this file in the Shibboleth installation directory (Default: \etc\shibboleth)
-
UW-Madison and UW-Madison Federation (eg. PubCookie Replacement)
-
Wisconsin Federation (eg. Approved IAA Request)
- Download the Signing Certificate
- Or Copy&Paste this address into your address bar: https://wayf.wisconsin.edu/metadata/wayf.wisconsin.edu-signing.pem
Generate Shibboleth2.xml File
After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.
Automatic Shibboleth2.xml Generator
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
RHEL / UBI / CentOS
Prerequisites
- Shibboleth Service Provider is installed.
- SSL enabled for Apache
Requirements
- Root Access - Must be possible to execute commands as user with root privileges or with sudo command.
- OpenSSL - For verifying certificate finger prints or for certificate inspection OpenSSL is required.
Shibboleth Service Provider Configuration File - shibboleth2.xml
After installing the Shibboleth SP, you will need to configure the shibboleth2.xml file correctly to work with the NetID Login Service.
Our shibboleth2.xml generator (or SPGEN) should provide you the basic configuration file needed to correctly work with the NetID Login Service. Add this file to '/etc/shibboleth'.
shibboleth2.xml generator:
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
Example and Explanation of Shibboleth2.xml file
UW Madison application administrators: NetID Login Service - Shibboleth Service Provider Configuration File (shibboleth2.xml)
Wisconsin federation application administrators: Wisconsin Federation Login Service - Shibboleth Service Provider Configuration File (shibboleth2.xml)
Download Metadata Signing Certificate
The Metadata Signing Certificate will be used to verify that the files that you load from the NetID Login Service have not been tampered with.
Save this file in the Shibboleth installation directory /etc/shibboleth
- Metadata Signing Certificate for UW-Madison:
- Metadata Signing Certificate for Wisconsin Federation:
Example: sudo curl https://login.wisc.edu/metadata/login.wisc.edu-signing.pem -O /etc/shibboleth/login.wisc.edu-signing.pem
Apache Configuration
The apache configuration guide from Shibboleth can be found here: Apache Configuration Guide
- Routing Handler URLs
To ensure proper routing of URL paths that Shibboleth handlers rely on, set a location directive within apache's configuration file specifying routing to mod_shib.
<Location /Shibboleth.sso> SetHandler shib </Location>
- ServerName
Ensure that your virtual host is configured correctly by setting the
ServerName
command to the appropriate value. If this is not set correctly the redirects generated by the shib module will be incorrect.Example:
ServerName testapp.wisc.edu
- UseCanonicalName
Set
UseCanonicalName On
by editing the httpd.conf file - Enable Authentication for a specific Directory
Add the following to either the virtual host configuration or the shibd.conf file to enable the shibboleth module and require authentication for a specific directory or application
<Location /> AuthType shibboleth ShibRequestSetting applicationId https://www.yoursite.wisc.edu/shibboleth ShibRequestSetting requireSession 1 require shib-session </Location>
The
AuthType
andRequire
commands must be included for Shibboleth to run.The value
'https://www.yoursite.wisc.edu/shibboleth'
in the commandShibRequestSetting applicationId
must match the value of theid
attribute in theApplicationDefault
or theApplicationOverride
section of the shibboleth2.xml file.Example snippet from shibboleth2.xml file:
<ApplicationOverride id="https://www.yoursite.wisc.edu/shibboleth" entityID="https://www.yoursite.wisc.edu/shibboleth" REMOTE_USER="uid"> <Sessions handlerURL="/Shibboleth.sso" cookieProps="; path=/internal; secure; HttpOnly"> <SSO entityID="https://login.wisc.edu/idp/shibboleth"> SAML2 SAML1 </SSO> </Sessions> </ApplicationOverride>
This setting associates the application with the server resource.
- Restart Apache
The last step is to restart apache after the configuration.
sudo apachectl restart
Verification
- Verify MD5 Checksum
Execute:
md5sum /etc/shibboleth/login.wisc.edu-signing.pem
You should see:
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/login.wisc.edu-signing.pem
If you do not see this please contact help@login.wisc.edu. - Restart Shibboleth and Apache
sudo systemctl restart shibd.service
sudo systemctl restart httpd.service
- Examine Logs
Examine the logs to verify that federation metadata was successfully downloaded:
sudo grep login.wisc.edu-metadata.xml /var/log/shibboleth/shibd.log
You should see:
INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/var/cache/shibboleth/login.wisc.edu-metadata.xml)
- Access Metadata
Navigate to:
https://www.yoursite.wisc.edu/Shibboleth.sso/Metadata
Verify that there is XML metadata content at this path.
Ubuntu
Prerequisites
- Shibboleth Service Provider is installed.
- SSL enabled for Apache
Requirements
- Root Access - Must be possible to execute commands as user with root privileges or with sudo command.
- OpenSSL - For verifying certificate finger prints or for certificate inspection OpenSSL is required.
Shibboleth Service Provider Configuration File - shibboleth2.xml
After installing the Shibboleth SP, you will need to configure the shibboleth2.xml file correctly to work with the NetID Login Service.
Our shibboleth2.xml generator (or SPGEN) should provide you the basic configuration file needed to correctly work with the NetID Login Service. Add this file to '/etc/shibboleth'.
shibboleth2.xml generator:
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
Example and Explanation of Shibboleth2.xml file
UW Madison application administrators: NetID Login Service - Shibboleth Service Provider Configuration File (shibboleth2.xml)
Wisconsin federation application administrators: Wisconsin Federation Login Service - Shibboleth Service Provider Configuration File (shibboleth2.xml)
Download Metadata Signing Certificate
The Metadata Signing Certificate will be used to verify that the files that you load from the NetID Login Service have not been tampered with.
Save this file in the Shibboleth installation directory /etc/shibboleth
- Metadata Signing Certificate for UW-Madison:
- Metadata Signing Certificate for Wisconsin Federation:
Example: sudo curl https://login.wisc.edu/metadata/login.wisc.edu-signing.pem -O /etc/shibboleth/login.wisc.edu-signing.pem
Apache Configuration
The apache configuration guide from Shibboleth can be found here: Apache Configuration Guide
- Routing Handler URLs
To ensure proper routing of URL paths that Shibboleth handlers rely on, set a location directive within apache's configuration file specifying routing to mod_shib.
<Location /Shibboleth.sso> SetHandler shib </Location>
- ServerName
Ensure that your virtual host is configured correctly by setting the
ServerName
command to the appropriate value. If this is not set correctly the redirects generated by the shib module will be incorrect.Example:
ServerName testapp.wisc.edu
- UseCanonicalName
Set
UseCanonicalName On
by editing the httpd.conf file - Enable Authentication for a specific Directory
Add the following to either the virtual host configuration or the shibd.conf file to enable the shibboleth module and require authentication for a specific directory or application
<Location /> AuthType shibboleth ShibRequestSetting applicationId https://www.yoursite.wisc.edu/shibboleth ShibRequestSetting requireSession 1 require shib-session </Location>
The
AuthType
andRequire
commands must be included for Shibboleth to run.The value
'https://www.yoursite.wisc.edu/shibboleth'
in the commandShibRequestSetting applicationId
must match the value of theid
attribute in theApplicationDefault
or theApplicationOverride
section of the shibboleth2.xml file.Example snippet from shibboleth2.xml file:
<ApplicationOverride id="https://www.yoursite.wisc.edu/shibboleth" entityID="https://www.yoursite.wisc.edu/shibboleth" REMOTE_USER="uid"> <Sessions handlerURL="/Shibboleth.sso" cookieProps="; path=/internal; secure; HttpOnly"> <SSO entityID="https://login.wisc.edu/idp/shibboleth"> SAML2 SAML1 </SSO> </Sessions> </ApplicationOverride>
This setting associates the application with the server resource.
Restart Apache
The last step is to restart apache after the configuration.
sudo apachectl restart
Verification
- Verify MD5 Checksum
Execute:
md5sum /etc/shibboleth/login.wisc.edu-signing.pem
You should see:
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/login.wisc.edu-signing.pem
If you do not see this please contact help@login.wisc.edu. - Restart Shibboleth and Apache
sudo service shibd restart
sudo service httpd restart
- Examine Logs
Examine the logs to verify that federation metadata was successfully downloaded:
sudo grep login.wisc.edu-metadata.xml /var/log/shibboleth/shibd.log
You should see:
INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/var/cache/shibboleth/login.wisc.edu-metadata.xml)
- Access Metadata
Navigate to:
https://www.yoursite.wisc.edu/Shibboleth.sso/Metadata
Verify that there is XML metadata content at this path.
3. Service Provider Activation
Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service.
The process involves either sending the Metadata file or a link to your Metadata location for your application to NetID Login Service email (help@login.wisc.edu) with your preferred contact for the SP.
The Metadata for your application is located at https://localhost/Shibboleth.sso/Metadata or https://domain.wisc.edu/Shibboleth.sso/Metadata
NOTE: If you want us to retrieve your Metadata under https://domain.wisc.edu/Shibboleth.sso/Metadata, please make sure the firewall rules allow it.
4. User Attributes from Identity Provider
Once your SP has been registered with the NetID Login Service, your application will receive a set of default attributes described below for every user that logs in (see NetID Login Service and Wisconsin Federation Attribute Information):
- uid: This is the User's NetID
- ePPN (eduPersonPrincipalName): This is the Scoped NetID. This identifier is the person's login name or userID (uid) followed by a namespace. The domain that comes after the @ sign defines a namespace (scope) which provides a uniqueness for the identifier. Example: bbadger@wisc.edu
- wiscEduPVI: An internal unique identifier attribute.
- wiscEduPrivacyFlag: This attribute indicates if the person's educational data is protected by the FERPA Policy.
- eduPersonTargetedID: A unique ID that identifies a person while preserving their privacy. This value is unique per Service Provider.
If your application requires data about users other than the default set, you will need to submit an IDI request.
For more information about data elements that are approved for authorized applications see: APPROVED ATTRIBUTES FOR RELEASE TO APPLICATIONS
5. Using Manifest Grouping Services for Authorization
Your application can be restricted to a specific group of people defined by a Manifest group that you control.
New to Manifest? Please take a look at our Manifest Getting Started Document
Instructions for integrating a Manifest group with your Service Provider is described in the following document: MANIFEST - INTEGRATING WITH NETID LOGIN SERVICE
UW-Madison NetID Login Identity Provider Information
NetID Login IDP EntityID: https://login.wisc.edu/idp/shibboleth
NetID Login IDP Metadata: https://login.wisc.edu/idp/shibboleth
NetID Login IDP Attribute Map: https://login.wisc.edu/metadata/attribute-map.xml
Technical Contact: help@login.wisc.edu
30887