Using Shibboleth, Lightweight Directory Access Protocol (LDAP),
and Secure Socket Layers (SSL), it is possible to limit access of
your published pages to specific LDAP groups or named UB
We are currently observing problems with how secure pages stay
in synch with specified users and LDAP groups.
Until this is fixed, just use the option to limit to All users or All faculty/staff.
Access is limited through a parent page, and the name of that
authenticated page must end in “–pw” (e.g.
mypage-pw). This will limit access to that particular page (i.e.
mypage-pw.html) and any of its children. Also the public URL
for your new page will begin https://.
Please fill out the Service Request Form for LDAP Groups so we are aware of your plans and can assist in any additional steps that are needed.
On the UBCMS, security just needs to be enabled once for each hostname (e.g. AP.buffalo.edu, MEDICINE.buffalo.edu, WWW.buffalo.edu), but enabling secure areas can take up to two weeks and must be scheduled.
Once your site's hostname is enabled, you can then go ahead and build secure areas using the author tools. The following hostnames are already enabled:
For all UBCMS https pages, the certificate is managed and paid
for centrally by UBit. But if your unit operates its own servers
with an independent certificate, your unit would be responsible for
purchasing and managing that on your own.
The UBCMS is not an appropriate place for ANY regulated private data; e.g. bank credit/debit card numbers, government-issued ID numbers, health information, or computer passwords.
Any UBCMS user who can normally see your pages in the UBCMS will also be able to view your authenticated pages while in the authoring system. (All UBCMS users can view any page in Shared Content.)
If you also need privacy from other UBCMS users, place the content on a secure Web page in your site, and ask us to create a new explicit permissions group to limit access. Choos ethe option "People in your existing group(s) will LOSE access to these folders. Only this new group will have access."
Access can only be allowed for UB employees or students. Each
person must have a UBITName.
Create the new page. The name of must end in “–pw” (e.g. mypage-pw).
This will limit access to that particular page (i.e. mypage-pw.html) and any of its children.
Set up your page as desired, then adjust that page's settings in Page Properties as described in the next section.
You can look up LDAP group names and their members by connecting to ubunix.buffalo.edu through SSH-Telnet.
Once you are logged in, run the command grep keyword /etc/group where keyword is a UBITName, LDAP group, or a partial string of either. This will check if that group exists, and display all UBitnames associated with it.
You can also use the command groups UBitname to look up which groups include the specified person (identified by their UBitname).
If you need to request a new LDAP group, please fill out the Request or Adjust an LDAP Group form.
Site Owners or Site Managers only!
LDAP Groups can be created or adjusted directly by individual offices through the UBit Help Center.
Once a page is secure, because the visitor is now identified, the following parameters are available from LDAP (with an example of the output for Jerod Sikorskyj):
displayName Jerod J Sikorskyj
department Enterprise Application Services
title Application Developer
address 108 Fillmore Academic Center
To use any of these parameters on an authenticated page, you
must use the User
Info Loader component, located in the author Sidekick under
Place the User Info Loader component at the top of the page.
Make sure to activate all pages to the publisher to test them
Secure pages are by design only accessible to a user once they
have successfully logged in through Shibboleth. In some cases, like
the List Component, the UBCMS is smart enough to not even reveal a
link to a secure page unless the user should see the link, but this
makes it difficult to naturally reveal these pages in lists to
users who may not have logged in, or in cases where you do wish the
public to know the secure page exists.
The redirect page will instead be shown in the list and take
users to the secure page, but the secure page will only be
displayed if they successfully authenticate with authorization to
view the page.
Was this page helpful?
Here is a sample form that includes the user data drawn from LDAP. Access is limited to anyone with a buffalo.edu account.
TIP: If you wish to publish any documents on your secure
pages that you do not wish ANYONE else to see (i.e. not even other
authors), attach them directly to one of your secure pages and do
not host them in the DAM. (All authors can view ANY documents that
are in the DAM.)