Using Shibboleth, Lightweight Directory Access Protocol (LDAP),
and Secure Socket Layers (SSL), it is possible to limit access of
your published pages to specific LDAP groups or named UB
Access is limited through a parent page, and the name of that
authenticated page must end in “–pw” (e.g.
mypage-pw). This will limit access to that particular page (i.e.
mypage-pw.html) and any of its children. Also the public URL
for your new page will begin https://.
Please fill out the Service
Request Form for LDAP Groups so we are aware of your
plans and can assist in any additional steps that are
On the UBCMS, security just needs to be enabled once for each
hostname (e.g. AP.buffalo.edu, MEDICINE.buffalo.edu,
WWW.buffalo.edu), but enabling secure areas can take up
to two weeks and must be scheduled.
Once your site's hostname is enabled, you can then go ahead and
build secure areas using the author tools. The following hostnames
are already enabled:
- ubcms.buffalo.edu (the UBCMS/DCT support site)
For all UBCMS https pages, the certificate is managed and paid
for centrally by UBit. But if your unit operates its own servers
with an independent certificate, your unit would be responsible for
purchasing and managing that on your own.
Create the new page. The name of must end in
“–pw” (e.g. mypage-pw).
This will limit access to that particular page (i.e.
mypage-pw.html) and any of its children.
Set up your page as desired, then adjust that page's settings in
Properties as described in the next section.
More about LDAP Groups
You can look up LDAP group names and their members by connecting
to ubunix.buffalo.edu through SSH-Telnet.
Once you are logged in, run the command grep keyword
/etc/group where keyword is a UBITName,
LDAP group, or a partial string of either. This will check if that
group exists, and display all UBitnames associated with it.
You can also use the command groups UBitname to
look up which groups include the specified person (identified by
If you need to request a new LDAP group, please fill out the Request
or Adjust an LDAP Group form.
LDAP Groups can be created or adjusted directly by individual
offices through the UBit Help Center.
Once a page is secure, because the visitor is now identified,
the following parameters are available from LDAP (with an example
of the output for Jerod Sikorskyj):
displayName Jerod J Sikorskyj
department Enterprise Application Services
address 108 Fillmore Academic
To use any of these parameters on an authenticated page, you
must use the User
Info Loader component, located in the author Sidekick under
Place the User Info Loader component at the top of the page.
- Click on the “+” sign to add a field
(“+”changes to a “-“ sign so it can be
- To make an LDAP parameter available for inclusion on your page,
use this syntax:
- Anywhere in your page that you put an HTML snippet with a named
element (e.g. #your_name), the text of that HTML
element will become the value of that LDAP variable. So in the
above example, <h3
display an H3 heading with the value of displayName when
- To use an LDAP parameter in a form, use this
- You would then insert a Form container as usual and add the
appropriate input fields.
- For example, to use an LDAP parameter in a Text Field, set the
component values to:
- Element Name: variable (e.g. Element
- Title: whatever text you wish
- Each variable must match the value you
used in the User Info Loader component for
name=<variable>; in this case,
emailAddress will automatically pull in their email
Make sure to activate all pages to the publisher to test them
Advanced - Reveal Secure Pages in Lists or Navigation
Secure pages are by design only accessible to a user once they
have successfully logged in through Shibboleth. In some cases, like
the List Component, the UBCMS is smart enough to not even reveal a
link to a secure page unless the user should see the link, but this
makes it difficult to naturally reveal these pages in lists to
users who may not have logged in, or in cases where you do wish the
public to know the secure page exists.
- Using Page Properties, conceal the secure page (in page
properties, set "Hide In Lists" and "Hide in Navigation").
- Build a matching new page in the same folder using the Redirect
Template. Open this new page, and select the secure page as
what to "Redirect to".
- Build your list normally.
The redirect page will instead be shown in the list and take
users to the secure page, but the secure page will only be
displayed if they successfully authenticate with authorization to
view the page.