InC-Lib-Vendor

[David Kennedy <>]

Jason,

Thank you for your response.  I
have a follow-up question for you, and will try to shed some light on your
question.

Have you received any feedback on your
use of eduPersonEntitlement?  The reason I am asking is that, in Duke's
case, our OIT runs our Shibboleth Identity Provider.  And they don't
necessarily want to be configuring different values for a particular attribute
for different service providers.  They currently make their policies
across the InCommon Federation as a single attribute release policy.  So,
they would like one policy that appropriately releases eduPersonEntitlement
with the common-lib-terms attribute to all InCommon service providers.
 I don't know, but imagine other institutions identity providers would
be pretty much in the same boat on this.  Is the urn:mace:dir:entitlement:common-lib-terms
 an attribute value that OCLC
would consider accepting?

In response to your question, direct
linking to resources are basically persistent URLs directly to resources,
as opposed to URLs just to search screens.  Our question is whether
or not there is a way to craft persistent URLs to resources, such that
the URLs to these resources are WAYFless.
So, for instance, if you had a resource
that lived at:
http://firstsearch.oclc.org/resources/foo
and you had a WAYFless URL syntax that
made use of a SessionInitiator that lived at:
https://firstsearch.oclc.org/Shib/SessionInitiator
then direct Shibboleth-authenticated
links to resources would look something like this for duke:
https://firstsearch.oclc.org/Shib/SessionInitiator?providerId=urn:mace:incommon:duke.edu&target=http://firstsearch.oclc.org/resources/foo

This feature is very desirable for libraries,
because we have the ability to craft these URLs from our own systems (link
resolvers, course home pages, metalib, etc) (by sending them through ezproxy
and using SPUEdit directives) in order that end users can experience authenticated
access directly to resources.

Dave

-----
David Kennedy
Systems Programmer
Perkins Library, Duke University
(919) 613-6831

"Zavar,Jason" <>

07/17/2009 10:08 AM

To	"David Kennedy" <>
cc	<>, "Shibboleth" <>
Subject	[InC-Lib-Vendor] RE: OCLC and InCommon Library Services Collaboration

David,
 
Sorry for my delay in responding.
Please see the responses from OCLC below. 
 
   1. What are the minimum attributes
you require from an Identity Provider for basic Shibboleth authentication?
  
 
OCLC requires the eduPersonEntitlement
attribute to specify which FirstSearch authorization to use. The entitlement
string value to configure is urn:mace:oclc.org:FirstSearchAuthorziation

   2. What additional services, if any, do you provide through Shibboleth
beyond basic login, for example, personalization. If you do provide additional
services, what is required to enable them?
 
 
Just authentication. 

   3. Do you support "WAYFless" access, that is, access
that does not require a user to identify where they are from in order to
reach his or her local authentication system?

 
 No, but we have had multiple
libraries request a WAYFless URL.  I am trying to obtain a status
as to when this feature may be supported.  

   4. Do you support direct Shibboleth-authenticated links to resources?
 
 
I am still trying find out
this information. Could you please clarify what is meant by this question?

   5. Who should libraries contact if they want to set up Shibboleth
access to your site or if they have questions or problems?

 
Setup – 

Support – 

Technical resources will be
consulted as necessary. 
 
Jason Zavar
Product Manager, EZproxy
OCLC, Online Computer Library Center, Inc.
6565 Kilgour Place -- MC431
Dublin, Ohio 43017
800-848-5878 ext. 5195

 
 
 
From: David Kennedy [mailto:]
Sent: Thursday, July 09, 2009 9:34 AM
To: Hamparian,Don; Zavar,Jason; Shibboleth
Cc: 
Subject: OCLC and InCommon Library Services Collaboration
 

Don, Jason, et al. 

I am writing you on behalf of the InCommon Library Services Collaboration.

We represent a group of research libraries who are working to expand the
use of Shibboleth among members of the InCommon federation. As part of
that effort, we are gathering information from vendors about how they have
implemented Shibboleth. By making this information more accessible, we
hope to make it easier for libraries to use the technology. We also would
like to help develop common practices among vendors that would simplify
the implementation process for everyone involved and make Shibboleth an
attractive option for users.

We think that expanding the use of Shibboleth will help you in various
ways: 

   1. Provide a more secure means of access than IP authentication.
   2. Provide better tools for identifying who is responsible when
breaches occur. 
   3. Make it possible for users to take advantage of personalized
features on a site without requiring them to open a local account maintained
by the vendor. 
   4. Help to start moving away from IP-based authentication and the
overhead it requires. 

We ask that you answer the following questions, as they relate to your
products and services: 

   1. What are the minimum attributes you require from an Identity
Provider for basic Shibboleth authentication?
   2. What additional services, if any, do you provide through Shibboleth
beyond basic login, for example, personalization. If you do provide additional
services, what is required to enable them?
   3. Do you support "WAYFless" access, that is, access
that does not require a user to identify where they are from in order to
reach his or her local authentication system?
   4. Do you support direct Shibboleth-authenticated links to resources?
   5. Who should libraries contact if they want to set up Shibboleth
access to your site or if they have questions or problems?

We appreciate your willingness to help us in this effort.

David Kennedy, Duke University
Adam Chandler, Cornell University
Andy Ingham, University of North Carolina, Chapel Hill
Jonathan Lavigne, Stanford University
Kent Percival, University of Guelph
Joy Veronneau, Cornell University
Jason Zavar, OCLC 
Fred Zhang, Michigan State University
Foster Zhang, Johns Hopkins University

[please send response email to ]

-----
David Kennedy
Systems Programmer
Perkins Library, Duke University
(919) 613-6831