Authentication (Secure Pages)

Using Shibboleth, Lightweight Directory Access Protocol (LDAP), and Secure Socket Layers (SSL), it is possible to limit access of your published pages to specific LDAP groups or named UB constituents. 

On this page:

Background

Access is limited through a parent page, and the name of that authenticated page must end in “–pw” (e.g. mypage-pw). This will limit access to that particular page (i.e. mypage-pw.html) and any of its children.  Also the public URL for your new page will begin https://.

Please fill out the Service Request Form for LDAP Groups so we are aware of your plans and can assist in any additional steps that are needed. 

Within the UBCMS, all hostnames (subdomains) are certified for secure pages (e.g. WWW.buffalo.edu is a hostname, as is NURSING.buffalo.edu). All secure pages rely on a certificate for that hostname, and for all UBCMS pages, the certificate is managed and paid for centrally by UBit. But if your unit operates its own servers with an independent certificate, your unit would be responsible for purchasing and managing that on your own.

The UBCMS is not an appropriate place for ANY regulated private data; e.g. bank credit/debit card numbers, government-issued ID numbers, health information, or computer passwords.

Authentication is only provided on the public site

Any UBCMS user who can normally see your pages in the UBCMS will also be able to view your authenticated pages while in the authoring system. (All UBCMS users can view any page in Shared Content.)

Need Total Privacy, Including Author?

If you also need privacy from other UBCMS users, place the content on a secure Web page in your site, and ask us to create a new explicit permissions group to limit access. Choos ethe option "People in your existing group(s) will LOSE access to these folders. Only this new group will have access."

Access can only be allowed for UB employees or students. All users must have a UBITName.

Create the “–pw” Page

Create the new page. The name of must end in “–pw” (e.g. mypage-pw).

This will limit access to that particular page (i.e. mypage-pw.html) and any of its children. 

Set up your page as desired, then adjust that page's settings in Page Properties as described in the next section.

NB. once a page's name ends in "-pw", users are required to login. The additional Page Properties settings simply define the access limits more narrowly.

Secure the Page

  1. In the Sidekick, click Page Properties and the Advanced tab. 
  2. Scroll down and expand the Authenticated Published Pages section. 
  3. Check Authentication Required. (This turns on your narrower restrictions.)
  • To limit access to only people with a UB account, select 'All Users.' (NB. all "-pw" pages by default are limited to 'All Users.')
  • To limit access to only UB faculty and staff, select 'All faculty/staff.'
    • For this setting, the UBCMS uses whomever is coded in LDAP as 'staff.' This excludes volunteer accounts and retirees, but includes people with emeritus in their title even if they are marked as a retiree.
    • The LDAP field only has one value--someone cannot be both student and staff. We believe most student and graduate assistants are marked as a student and not staff so they will be excluded.
  • To limit access to a specific group of UB accounts, use Additional Users/Group. (These must be in the form of existing LDAP groups or individual UBitnames.)
    • You can mix and match groups and userids but each LDAP group or user designation must be added as a new entry.
    • Click 'Add Item +' to add each user or group ('+' changes to  '-' and you can type in the form field).
    • For each item, enter an valid LDAP group or UBitname; for example,
      • ub_all_staff   [all UB staff]
      • uw-apy  [Anthropology faculty & staff]
      • jjs58  [user with UBitname "jjs58"]
      • hjarvis [user with UBitname "hjarvis"]
More about LDAP Groups

You can look up LDAP group names and their members by connecting to ubunix.buffalo.edu through SSH-Telnet.

Once you are logged in, run the command grep keyword /etc/group  where keyword is a UBITName, LDAP group, or a partial string of either. This will check if that group exists, and display all UBitnames associated with it.

You can also use the command groups UBitname to look up which groups include the specified person (identified by their UBitname).

If you need to request a new LDAP group, please fill out the Request or Adjust an LDAP Group form.

Requesting or Adjusting an LDAP Group

Site Owners or Site Managers only!

LDAP Groups can be created or adjusted directly by individual offices through the UBit Help Center.

Service Request Form for LDAP Groups

Using LDAP Parameters on a Page

Once a page is secure, because the visitor is now identified, the following parameters are available from LDAP (with an example of the output for Jerod Sikorskyj):

id                   jjs58
path              /home/users/j/jj/jjs/jjs58
displayName  Jerod J Sikorskyj
givenName    Jerod
familyName   Sikorskyj
phone           645-5195
email            jjs58@buffalo.edu
affiliation     staff
department Enterprise Application Services
title             Application Developer
address        108 Fillmore Academic Center

To use any of these parameters on an authenticated page, you must use the User Info Loader component, located in the author Sidekick under “Form Components.”

Place the User Info Loader component at the top of the page.

  • Click on the “+” sign to add a field (“+”changes to a “-“ sign so it can be removed). 
  • To make an LDAP parameter available for inclusion on your page, use this syntax:
                    #<variable>=<LDAP parameter>
                     e.g.        #your_name=displayName
  • Anywhere in your page that you put an HTML snippet with a named element (e.g. #your_name), the text of that HTML element will become the value of that LDAP variable. So in the above example, <h3 id="your_name">text_to_be_replaced</h3> will display an H3 heading with the value of displayName when published.  
  • To use an LDAP parameter in a form, use this syntax: 
                    input[name=<variable>]=<LDAP parameter>
                    e.g.        input[name=emailAddress]=email
  • You would then insert a Form container as usual and add the appropriate input fields. 
  • For example, to use an LDAP parameter in a Text Field, set the component values to:
    • Element Name: variable (e.g. Element Name: emailAddress)
    • Title: whatever text you wish
  • Each variable must match the value you used in the User Info Loader component for name=<variable>; in this case, emailAddress will automatically pull in their email address.

Make sure to activate all pages to the publisher to test them live.

Advanced - Vanity URLs and Redirects on Authenticated Pages

It is not possible to add a working Vanity URL to an authenticated page unless your Vanity URL also ends in '-pw.'  If a short URL without '-pw' is desired for outreach or to handle common usage, we suggest you use a separate Redirect Page instead.

Create a new page using the Redirect Template, set the URL through the UBCMS to the actual secure page (/content/www/etc/page-pw), and then add any desired Vanity URLs to the Page Properties of the redirect page, and NOT in the secure page itself.

> Read more about UBCMS redirect pages

Advanced - Reveal Secure Pages in Lists or Navigation

Secure pages are by design only accessible to a user once they have successfully logged in through Shibboleth. In some cases, like the List Component, the UBCMS is smart enough to not even reveal a link to a secure page unless the user should see the link, but this makes it difficult to naturally reveal these pages in lists to users who may not have logged in, or in cases where you do wish the public to know the secure page exists.

  1. Using Page Properties, conceal the secure page (in page properties, set "Hide In Lists" and "Hide in Navigation").
  2. Build a matching new page in the same folder using the Redirect Template.  Open this new page, and select the secure page as what to "Redirect to". 
  3. Build your list normally.

The redirect page will instead be shown in the list and take users to the secure page, but the secure page will only be displayed if they successfully authenticate with authorization to view the page.

 

Was This Page Helpful?

 
(Required)
(Required)
(so we can thank you or request more details)
(Required)
(buffalo.edu addresses only please)