Transforming UB’s digital communications.
Authentication (Secure Pages)
Restrict access to your published pages.
On this page:
Last reviewed: September 9, 2024
Overview
Using Shibboleth, Lightweight Directory Access Protocol (LDAP), and Secure Socket Layers (SSL), it is possible to limit access of your published pages to specific LDAP groups or named UB constituents.
Implementation in the UBCMS
Access is restricted through an authenticated page whose name must end in “–pw” (e.g. mypage-pw). This will limit access to that particular page (i.e. mypage-pw.html) and its children. (Also the public URL for your new page will always begin https://.) The actual restrictions are set in page Properties.
Within the UBCMS, all hostnames (subdomains) are certified for secure pages (e.g. WWW.buffalo.edu is a hostname, as is NURSING.buffalo.edu). All secure pages rely on a certificate for that hostname, and for all UBCMS pages, the certificate is managed and paid for centrally by UBit. But if your unit operates its own servers with an independent certificate, your unit would be responsible for purchasing and managing that on your own.
Secure pages appear in your site's navigation and lists/carousels in Author, but on your live site, are hidden unless a user has access to view the pages, has authenticated (logged in to a secure UB system), and the user is within the secure part of your site -- otherwise the pages will essentially be invisible. To make secure pages visible in site navigation or lists/carousels, see the Advanced Section below.
The UBCMS is not an appropriate place for ANY regulated private data; e.g. bank credit/debit card numbers, government-issued ID numbers, health information, or computer passwords.
Authentication is only provided on the public site
Any UBCMS user who can normally see your pages in the UBCMS will also be able to view your authenticated pages while in the authoring system. (All UBCMS users can view any page in Shared Content.)
If you also need privacy from other UBCMS users, place the content on a secure regular page in your site (not in Shared Content), and ask us to create a new explicit permissions group to limit access. Choose the option "People in your existing group(s) will LOSE access to these folders. Only this new group will have access." Or use the Private Authoring feature to control whocan view/edit/publish these pages.
Also remember that content in Assets is normally visible to all authors, and when you add an asset, it is even promoted as "new" to all authors at the top of the Assets Browser. If you need to keep them private in Author (e.g. details of a special unannounced event or a restricted-use photo) consider embedding them directly into your page, or use Private Authoring.
Secure Documents
If you wish to publish any documents on your secure pages that you do not wish ANYONE else to see (i.e. not even other authors), attach them directly to one of your secure pages and do not host them in the DAM. (All authors can view ANY documents that are in the DAM.)
Create the “–pw” Page
Create the new page. The name of must end in “–pw” (e.g. mypage-pw).
This will limit access to that particular page (i.e. mypage-pw.html) and any of its children.
Set up your page as desired, then adjust that page's settings in Properties as described in the next section.
As soon as a page's name ends in "-pw", users are required to login. The additional Page Properties settings simply define the access limits more narrowly.
Secure the Page
Equalizer button
- In the Edit Console, click the Equalizer button, then Open Properties and a new screen will load.
- Select the Advanced tab, then scroll down and expand the Authenticated Published Pages section.
- Check Authentication Required. (This turns on your narrower restrictions.)
- Allowed
- All users - Limit access to only people with a UB account, select ' (NB. all "-pw" pages by default are limited to 'All Users.')
- All faculty/staff - Limit access to only UB faculty and staff.. For this setting, the UBCMS uses whomever is coded in LDAP as 'staff.' This excludes volunteer accounts and retirees, but includes people with emeritus in their title even if they are marked as a retiree.
- The LDAP field only has one value--someone cannot be both student and staff. We believe most student and graduate assistants are marked as a student and not staff so they will be excluded.
- All users - Limit access to only people with a UB account, select ' (NB. all "-pw" pages by default are limited to 'All Users.')
- Additional Users/Group.
- Limit access to specified users and/or groups of users.
- These must be in the form of individual UBitnames or LDAP groups.
- You can mix and match groups and userids but each group or user designation must be added as a separate value.
- Click Add to add one or more users or groups, for example,
- ub_all_staff [all UB staff]
- uw-apy [Anthropology faculty & staff]
- jjs58 [user with UBitname "jjs58"]
- hjarvis [user with UBitname "hjarvis"]
Limited to UB Accounts
Access can only be controlled for UB employees and students (or a volunteer appointment). A UBITName is required.
More about LDAP groups
Limiting by LDAP groups is probably best used in cases where another process is already maintaining those groups, such as Student Accounts, and also when the group is too large or unpredictable to manage yourself in the page Properties.
Some units already maintain LDAP groups for other purposes that may be of use in identifying your staff or faculty or students, so we encourage you to consult with your department IT staff.
Developers with Unix knowledge can look up LDAP group and its members by connecting to ubunix.buffalo.edu through SSH-Telnet. Run these command line queries:
- grep keyword /etc/group where keyword is a UBITName, LDAP group, or a partial string of either. This will check if that group exists, and display UBitnames associated with it where that group is not their primary group..
- grep :groupID: in /etc/passwd which will display the names of anyone where this is their primary group.
- groups UBitname to display which groups include the specified person (identified by their UBitname).
Note: UBit may refer to these as 'UBLDAP' groups, to distinguish them from the Active Directory (UBAD/ADFS) groups that are used by systems such as email.
Requesting or Adjusting an LDAP Group
Site Owners or Site Managers only!
LDAP Groups can be created or adjusted directly by individual offices through the UBIT Help Center.
- Brief Summary: specify "LDAP group adjustment".
- Requested on Behalf of Name: your name.
- Requested on Behalf of UBITName: your UBITName.
- Preferred Contact phone number: your office number.
- Service or Machine Name: specific Accounts.
- Description: state "create new LDAP group", or "change existing LDAP group"
- clearly state the existing or prefered LDAP group name
- clearly state adjustments; e.g.
- ADD John Doe (jdoe)
- REMOVE John Doe (jdoe)
- Frequently LDAP group names have a 2-3 character prefix, plus a hyphen, then a longer string of characters, e.g. uw-provost or mgt-admin.
- Best practice is to limit length to 16 characters overall. (Shorter names are generally safer) but we do not enforce character restrictions on group names.
- Lower case is strongly advised but mixed case or caps are possible.
- Special characters are allowed but should be limited to "-" and "_".
- No group name should begin or end with a special character.
- UBit protects 2-3 character prefixes that also happen to be entity abbreviations. For example, the Office of University Communications has an entity abbreviation of ucc, so ucc- would be reserved for their use.
Using LDAP Parameters on a Page
Once a page is secure, because the visitor is now identified, the following parameters are available from LDAP (with an example of the output for Jerod Sikorskyj):
id jjs58
path /home/users/j/jj/jjs/jjs58
displayName Jerod J Sikorskyj
givenName Jerod
familyName Sikorskyj
phone 645-5195
email jjs58@buffalo.edu
affiliation staff
department Enterprise Application Services
title Application Developer
address 108 Academic Center
To use any of these parameters on an authenticated page, you must use the User Info Loader component, located in the author Sidekick under “Form Components.”
Place the User Info Loader component at the top of the page.
- Click on the “+” sign to add a field (“+”changes to a “-“ sign so it can be removed).
- To make an LDAP parameter available for inclusion on your page, use this syntax:
#<variable>=<LDAP parameter>
e.g. #your_name=displayName - Anywhere in your page that you put an HTML snippet with a named element (e.g. #your_name), the text of that HTML element will become the value of that LDAP variable. So in the above example, <h3 id="your_name">text_to_be_replaced</h3> will display an H3 heading with the value of displayName when published.
- To use an LDAP parameter in a form, use this syntax:
input[name=<variable>]=<LDAP parameter>
e.g. input[name=emailAddress]=email - You would then insert a Form container as usual and add the appropriate input fields.
- For example, to use an LDAP parameter in a Text Field, set the component values to:
- Element Name: variable (e.g. Element Name: emailAddress)
- Title: whatever text you wish
- Each variable must match the value you used in the User Info Loader component for name=<variable>; in this case, emailAddress will automatically pull in their email address.
Make sure to activate all pages to the publisher to test them live.
An Example
Here is a sample form that includes the user data drawn from LDAP. Access is limited to anyone with a buffalo.edu account.
It is not possible to add a working Vanity URL to an authenticated page unless your Vanity URL also ends in '-pw.' If a short URL without '-pw' is desired for outreach or to handle common usage, we suggest you use a separate Redirect Page instead.
Create a new page using the Redirect Template, set the URL through the UBCMS to the actual secure page (/content/www/etc/page-pw), and then add any desired Vanity URLs to the Page Properties of the redirect page, and NOT in the secure page itself.
Secure pages are only intended to be accessible to a user once they have successfully logged in through Shibboleth (either to your secure pages, or to some other secure UB system).
Secure pages appear in your site's navigation and lists/carousels in Author, but on your live site, are hidden unless a user has access to view the pages, has authenticated (logged in to a secure UB system), and the user is within the secure part of your site.
This makes it difficult to consistently reveal these pages exist, and to provide a way for users to navigate to them (and log in).
"All users" pages are an exception to this rule and are displayed in lists as if they are normal pages. But all other secure pages, whether limited to faculty-staff, or specific LDAP user/group combinations, will be hidden from view in lists.
Here is a consistent workaround:
- Using Properties, conceal the secure page (set 'Hide in Mobile Navigation', 'Hide in Left Navigation', and probably 'Hide In Lists').
- Build a matching new page in the same folder using the Redirect Template. Open this new page, and select the secure page in the 'Redirect to' setting.
- Build your list normally.
The redirect page will instead be shown in the list and take users to the secure page, but the secure page will only be displayed if they successfully authenticate with authorization to view the page.
More technical details:
When a page that does not end in "-pw" is rendered, it is always rendered "running as" the "anonymous" user, even if a user has authenticated for the purpose of other pages. Among other reasons, this is so that the page is the same for all users and can be cached. This explains why most -pw pages cannot be seen in lists and nav -- the anonymous user cannot see/read them and thus they do not show in the query results when generating these lists. There is an exception to this, though... when a page is protected, but marked as viewable by "all users", the anonymous user can see it. So this kind of page requires login to see the page, but can still be seen by the anonymous user when generating lists and nav and is visible in those.
Sites that have an intranet or multiple nexted secure pages will also need to adjust their top navigation or your pages may not appear normally.
Please create a separate header page for that part of your site, and name it "...-pw" (e.g. header-pw or header-intranet-pw). Publish the header and reference it from the top page of your secure area.
There is no need to enable the authentication or set any restrictions on the header itself, simply having "-pw" should allow normal behavior in the navigation for that area.