Restrict access to your published pages.
Last reviewed: January 21, 2022
Using Shibboleth, Lightweight Directory Access Protocol (LDAP), and Secure Socket Layers (SSL), it is possible to limit access of your published pages to specific LDAP groups or named UB constituents.
Access is limited through a parent page, and the name of that authenticated page must end in “–pw” (e.g. mypage-pw). This will limit access to that particular page (i.e. mypage-pw.html) and any of its children. Also the public URL for your new page will begin https://.
Within the UBCMS, all hostnames (subdomains) are certified for secure pages (e.g. WWW.buffalo.edu is a hostname, as is NURSING.buffalo.edu). All secure pages rely on a certificate for that hostname, and for all UBCMS pages, the certificate is managed and paid for centrally by UBit. But if your unit operates its own servers with an independent certificate, your unit would be responsible for purchasing and managing that on your own.
The UBCMS is not an appropriate place for ANY regulated private data; e.g. bank credit/debit card numbers, government-issued ID numbers, health information, or computer passwords.
Each time a user accesses a secure page within a 24 hour period, their account needs to sync. Once the sync has finished, refreshing the page should be the same speed as a regular page. > Read more about this Known Issue.
Any UBCMS user who can normally see your pages in the UBCMS will also be able to view your authenticated pages while in the authoring system. (All UBCMS users can view any page in Shared Content.)
If you also need privacy from other UBCMS users, place the content on a secure regular page in your site (not in Shared Content), and ask us to create a new explicit permissions group to limit access. Choose the option "People in your existing group(s) will LOSE access to these folders. Only this new group will have access." Or use the Private Authoring feature to control whocan view/edit/publish these pages.
Also remember that content in Assets is normally visible to all authors, and when you add an asset, it is even promoted as "new" to all authors at the top of the Assets Browser. If you need to keep them private in Author (e.g. details of a special unannounced event or a restricted-use photo) consider embedding them directly into your page, or use Private Authoring.
If you wish to publish any documents on your secure pages that you do not wish ANYONE else to see (i.e. not even other authors), attach them directly to one of your secure pages and do not host them in the DAM. (All authors can view ANY documents that are in the DAM.)
Create the new page. The name of must end in “–pw” (e.g. mypage-pw).
This will limit access to that particular page (i.e. mypage-pw.html) and any of its children.
Set up your page as desired, then adjust that page's settings in Properties as described in the next section.
As soon as a page's name ends in "-pw", users are required to login. The additional Page Properties settings simply define the access limits more narrowly.
Access can only be controlled for UB employees and students (or a volunteer appointment). A UBITName is required.
You can look up LDAP group names and their members by connecting to ubunix.buffalo.edu through SSH-Telnet.
Once you are logged in, run the command grep keyword /etc/group where keyword is a UBITName, LDAP group, or a partial string of either. This will check if that group exists, and display all UBitnames associated with it.
You can also use the command groups UBitname to look up which groups include the specified person (identified by their UBitname).
Site Owners or Site Managers only!
LDAP Groups can be created or adjusted directly by individual offices through the UBIT Help Center.
Once a page is secure, because the visitor is now identified, the following parameters are available from LDAP (with an example of the output for Jerod Sikorskyj):
displayName Jerod J Sikorskyj
department Enterprise Application Services
title Application Developer
address 108 Academic Center
To use any of these parameters on an authenticated page, you must use the User Info Loader component, located in the author Sidekick under “Form Components.”
Place the User Info Loader component at the top of the page.
Make sure to activate all pages to the publisher to test them live.
Here is a sample form that includes the user data drawn from LDAP. Access is limited to anyone with a buffalo.edu account.
It is not possible to add a working Vanity URL to an authenticated page unless your Vanity URL also ends in '-pw.' If a short URL without '-pw' is desired for outreach or to handle common usage, we suggest you use a separate Redirect Page instead.
Create a new page using the Redirect Template, set the URL through the UBCMS to the actual secure page (/content/www/etc/page-pw), and then add any desired Vanity URLs to the Page Properties of the redirect page, and NOT in the secure page itself.
Most secure pages are by design only accessible to a user once they have successfully logged in through Shibboleth. In some cases, like the List Component, the UBCMS is smart enough to not even reveal a link to a secure page unless the user should see that link, but this makes it difficult to consistently reveal these pages in lists to users who may not have logged in, or to reliably conceal your secure pages in cases where you do wish the public to know they exist.
"All users" pages are an exception to this rule and are displayed in lists as if they are normal pages. But all other secure pages, whether limited to faculty-staff, or specific LDAP user/group combinations, will be hidden from view in lists.
Here is a consistent workaround:
The redirect page will instead be shown in the list and take users to the secure page, but the secure page will only be displayed if they successfully authenticate with authorization to view the page.