David,
I reached out to my colleague, Andy Dale and he provided some
additional comments. See below.
>> Is the urn:mace:dir:entitlement:common-lib-terms
an attribute value that OCLC would consider accepting?
Absolutely
YES – We need to collect more information like this email and understand what
our members and customers need. We will go to considerable effort to reduce
barriers to access library resources and services. If this is a barrier; we
will remove it.
>>
Do we Support direct authenticated links to
resources as described by David?
I
am still trying to determine what the exact state of this is at OCLC. I know we
can do this with EZProxy but I have no idea if FirstSearch provides this
functionality. The new infrastructure that is being built is designed to
support this behavior so as we move our products and services to the new IDM
infrastructure we will get more coverage for this.
I’ll see if I can find out if FirstSearch provides this
functionality – direct authenticated links.
Jason
Zavar
Product Manager, EZproxy
OCLC, Online Computer Library Center, Inc.
6565 Kilgour Place -- MC431
Dublin, Ohio 43017
800-848-5878 ext. 5195
From: David Kennedy
[mailto:]
Sent: Friday, July 17, 2009 10:56 AM
To: Zavar,Jason
Cc: ; Shibboleth
Subject: Re: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services
Collaboration
Jason,
Thank you for
your response. I have a follow-up question for you, and will try to shed
some light on your question.
Have you
received any feedback on your use of eduPersonEntitlement? The reason I
am asking is that, in Duke's case, our OIT runs our Shibboleth Identity
Provider. And they don't necessarily want to be configuring different
values for a particular attribute for different service providers. They
currently make their policies across the InCommon Federation as a single
attribute release policy. So, they would like one policy that
appropriately releases eduPersonEntitlement with the common-lib-terms attribute
to all InCommon service providers. I don't know, but imagine other
institutions identity providers would be pretty much in the same boat on this.
Is the urn:mace:dir:entitlement:common-lib-terms an attribute
value that OCLC would consider accepting?
In response to
your question, direct linking to resources are basically persistent URLs
directly to resources, as opposed to URLs just to search screens. Our
question is whether or not there is a way to craft persistent URLs to
resources, such that the URLs to these resources are WAYFless.
So, for
instance, if you had a resource that lived at:
http://firstsearch.oclc.org/resources/foo
and you had a
WAYFless URL syntax that made use of a SessionInitiator that lived at:
https://firstsearch.oclc.org/Shib/SessionInitiator
then direct
Shibboleth-authenticated links to resources would look something like this for
duke:
https://firstsearch.oclc.org/Shib/SessionInitiator?providerId=urn:mace:incommon:duke.edu&target=http://firstsearch.oclc.org/resources/foo
This feature is
very desirable for libraries, because we have the ability to craft these URLs
from our own systems (link resolvers, course home pages, metalib, etc) (by
sending them through ezproxy and using SPUEdit directives) in order that end
users can experience authenticated access directly to resources.
Dave
-----
David Kennedy
Systems Programmer
Perkins Library, Duke University
(919) 613-6831
|
"Zavar,Jason"
<>
07/17/2009
10:08 AM
|
|
To
|
"David
Kennedy" <>
|
|
cc
|
<>,
"Shibboleth" <>
|
|
Subject
|
[InC-Lib-Vendor]
RE: OCLC and InCommon Library Services Collaboration
|
|
David,
Sorry
for my delay in responding. Please see the responses from OCLC below.
1.
What are the minimum attributes you require from an Identity Provider for basic
Shibboleth authentication?
OCLC
requires the eduPersonEntitlement attribute to specify which FirstSearch
authorization to use. The entitlement string value to configure is
urn:mace:oclc.org:FirstSearchAuthorziation
2. What additional services, if any, do you provide through Shibboleth
beyond basic login, for example, personalization. If you do provide additional
services, what is required to enable them?
Just
authentication.
3. Do you support "WAYFless" access, that is, access that does
not require a user to identify where they are from in order to reach his or her
local authentication system?
No,
but we have had multiple libraries request a WAYFless URL. I am trying to
obtain a status as to when this feature may be supported.
4. Do you support direct Shibboleth-authenticated links to resources?
I am
still trying find out this information. Could you please clarify what is meant
by this question?
5. Who should libraries contact if they want to set up Shibboleth access
to your site or if they have questions or problems?
Setup
–
Support
–
Technical
resources will be consulted as necessary.
Jason
Zavar
Product Manager, EZproxy
OCLC, Online Computer Library Center, Inc.
6565 Kilgour Place -- MC431
Dublin, Ohio 43017
800-848-5878 ext. 5195
From: David Kennedy
[mailto:]
Sent: Thursday, July 09, 2009 9:34 AM
To: Hamparian,Don; Zavar,Jason; Shibboleth
Cc:
Subject: OCLC and InCommon Library Services Collaboration
Don, Jason, et al.
I am writing you on behalf of the InCommon Library Services Collaboration.
We represent a group of research libraries who are working to expand the use of
Shibboleth among members of the InCommon federation. As part of that effort, we
are gathering information from vendors about how they have implemented
Shibboleth. By making this information more accessible, we hope to make it
easier for libraries to use the technology. We also would like to help develop
common practices among vendors that would simplify the implementation process
for everyone involved and make Shibboleth an attractive option for users.
We think that expanding the use of Shibboleth will help you in various ways:
1. Provide a more secure means of access than IP authentication.
2. Provide better tools for identifying who is responsible when breaches
occur.
3. Make it possible for users to take advantage of personalized features
on a site without requiring them to open a local account maintained by the
vendor.
4. Help to start moving away from IP-based authentication and the
overhead it requires.
We ask that you answer the following questions, as they relate to your products
and services:
1. What are the minimum attributes you require from an Identity Provider
for basic Shibboleth authentication?
2. What additional services, if any, do you provide through Shibboleth
beyond basic login, for example, personalization. If you do provide additional
services, what is required to enable them?
3. Do you support "WAYFless" access, that is, access that does
not require a user to identify where they are from in order to reach his or her
local authentication system?
4. Do you support direct Shibboleth-authenticated links to resources?
5. Who should libraries contact if they want to set up Shibboleth access
to your site or if they have questions or problems?
We appreciate your willingness to help us in this effort.
David Kennedy, Duke University
Adam Chandler, Cornell University
Andy Ingham, University of North Carolina, Chapel Hill
Jonathan Lavigne, Stanford University
Kent Percival, University of Guelph
Joy Veronneau, Cornell University
Jason Zavar, OCLC
Fred Zhang, Michigan State University
Foster Zhang, Johns Hopkins University
[please send response email to ]
-----
David Kennedy
Systems Programmer
Perkins Library, Duke University
(919) 613-6831
