Defining Use Cases for Federating Library Services

[Thomas Howell <>]

Title:

"Shibboleth and Federations: collaborating to solve complex access issues related to university library resources."

Speakers:

David Kennedy of Duke University and Thomas Howell of Northwestern University

Abstract:

"Vendors and campuses often have complex contractual obligations with one another. At the same time they also need to support a diverse number of electronic services which are both technologically and workflow wise quite challenging. Under such agreements some segments of the distributed community may be granted access to systems and resources while others may be excluded. As our community increasingly demands 24x7 service and access from anywhere in the world, proper compliance has become more difficult. Learn how the Library community has been using Shibboleth and InCommon to address these issues. "

-------------------------------------

From Paul:

On a slightly different tack, I was thinking about our Use Case areas of interest once again. So far we have the following broad categories:
- Shib-enabled EZProxy
- ILS
- User Walk In
- Multi-Campus and Consortium

Shouldn't there be a category that talk about services from the cloud? For now let's hold off on figuring out if EZProxy should be subsumed into the category or not.

I see three broad cases under this category:
1) Services where we are willing to release the EPPN or some other reversibly intelligible identifier.

2) Services where we are willing to release a targeted-id which is not reversibly intelligible by the service provider.

3) Services where we only release information that is not uniquely identifying.

Examples:

case 1) A hosted ILLiad service. We are willing to release a reversibly intelligible identifier because ultimately a book or documented is being delivered from one library to another destination. And the delivered object has to be returned to the original library at some point in the future. Since there is a material object with a well defined material value, all parties desire the ability to positively identify who is requesting the book and where it is being delivered.

In several cases the libraries from the requesting library need to perform additional validation of the user (during ILLiad registration) to determine that the person is a legitimate person that should be authorized. For example, a visiting  faculty member might appear as a sponsored guest account instead of an employee. The host department, lab, or center, will have to confirm to the librarians that inter-library borrowing privileges should be extended for a semester.

case 2) RefWorks, the online bibliographic management program that allows users to create a personal database of references and generate bibliographies in a variety of formats. Since the campus user is creating content on a system that is hosted by an external vendor, many librarians feel there is a privacy concern. In this case we may only wish to release a targeted-id so that the user is uniquely mapped to their data, but the vendor cannot determine which user on campus has created the set of references. Nor could they use the data to generate targeted advertising delivered through any other vehicle than their own site.

case 3) EZProxy comes to mind. I'm under the impression that in the majority of cases our campuses prefer not to release uniquely identifiable information about our users access to external databases.