InC-Lib-Vendor

[David Kennedy <>]

> I reached out to my colleague, Andy Dale and he
provided some 
> additional comments. See below.
>  
> >> Is the urn:mace:dir:entitlement:common-lib-terms
 an attribute 
> value that OCLC would consider accepting?
> Absolutely YES – We need to collect more information
like this email
> and understand what our members and customers need. We will go to
> considerable effort to reduce barriers to access library resources
> and services. If this is a barrier; we will remove it.

Jason,

Can you provide an update on the above?
 Is there a timeline for FirstSearch to use the standard common-lib-terms
eduPersonEntitlement value instead of the OCLC-specific value?

Thanks
Dave


-----
David Kennedy
Application Developer
Perkins Library, Duke University
(919) 613-6831


"Zavar,Jason" <> wrote
on 07/20/2009 04:22:03 PM:

> From:
> 
> "Zavar,Jason" <>
> 
> To:
> 
> "David Kennedy" <>
> 
> Cc:
> 
> <>, "Shibboleth"
<>
> 
> Date:
> 
> 07/20/2009 04:22 PM
> 
> Subject:
> 
> RE: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services Collaboration
> 
> David,
>  
> I reached out to my colleague, Andy Dale and
he provided some 
> additional comments. See below.
>  
> >> Is the urn:mace:dir:entitlement:common-lib-terms
 an attribute 
> value that OCLC would consider accepting?
> Absolutely YES – We need to collect more information
like this email
> and understand what our members and customers need. We will go to
> considerable effort to reduce barriers to access library resources
> and services. If this is a barrier; we will remove it.
>  
> >> Do we Support direct authenticated links
to resources as 
> described by David?
> I am still trying to determine what the exact
state of this is at 
> OCLC. I know we can do this with EZProxy but I have no idea if 
> FirstSearch provides this functionality. The new infrastructure that
> is being built is designed to support this behavior so as we move
> our products and services to the new IDM infrastructure we will get
> more coverage for this. 
>  
> I’ll see if I can find out if FirstSearch provides
this 
> functionality – direct authenticated links.
> Jason Zavar
> Product Manager, EZproxy
> OCLC, Online Computer Library Center, Inc.
> 6565 Kilgour Place -- MC431
> Dublin, Ohio 43017
> 800-848-5878 ext. 5195
> 
>  
>  
>  
> From: David Kennedy []
> Sent: Friday, July 17, 2009 10:56 AM
> To: Zavar,Jason
> Cc: ; Shibboleth
> Subject: Re: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services
> Collaboration
>  
> 
> Jason, 
> 
> Thank you for your response.  I have a follow-up question for
you, 
> and will try to shed some light on your question. 
> 
> Have you received any feedback on your use of eduPersonEntitlement?
> The reason I am asking is that, in Duke's case, our OIT runs our 
> Shibboleth Identity Provider.  And they don't necessarily want
to be
> configuring different values for a particular attribute for 
> different service providers.  They currently make their policies
> across the InCommon Federation as a single attribute release policy.
> So, they would like one policy that appropriately releases 
> eduPersonEntitlement with the common-lib-terms attribute to all 
> InCommon service providers.  I don't know, but imagine other
> institutions identity providers would be pretty much in the same 
> boat on this.  Is the urn:mace:dir:entitlement:common-lib-terms
 an 
> attribute value that OCLC would consider accepting? 
> 
> In response to your question, direct linking to resources are 
> basically persistent URLs directly to resources, as opposed to URLs
> just to search screens.  Our question is whether or not there
is a 
> way to craft persistent URLs to resources, such that the URLs to 
> these resources are WAYFless. 
> So, for instance, if you had a resource that lived at: 
> http://firstsearch.oclc.org/resources/foo
> and you had a WAYFless URL syntax that made use of a 
> SessionInitiator that lived at: 
> https://firstsearch.oclc.org/Shib/SessionInitiator
> then direct Shibboleth-authenticated links to resources would look
> something like this for duke: 
> https://firstsearch.oclc.org/Shib/SessionInitiator?
> providerId=urn:mace:incommon:duke.edu&target=http://
> firstsearch.oclc.org/resources/foo 
> 
> This feature is very desirable for libraries, because we have the
> ability to craft these URLs from our own systems (link resolvers,
> course home pages, metalib, etc) (by sending them through ezproxy
> and using SPUEdit directives) in order that end users can experience
> authenticated access directly to resources. 
> 
> Dave 
> 
> -----
> David Kennedy
> Systems Programmer
> Perkins Library, Duke University
> (919) 613-6831
>  

> 
> "Zavar,Jason" <> 
> 07/17/2009 10:08 AM 
> 
> To
> 
> "David Kennedy" <> 
> 
> cc
> 
> <>, "Shibboleth"
<> 
> 
> Subject
> 
> [InC-Lib-Vendor] RE: OCLC and InCommon Library Services Collaboration
> 
>  
> 
> 
> 
> 
> David, 
>   
> Sorry for my delay in responding. Please see the responses from OCLC
below. 
>   
>    1. What are the minimum attributes you require from an
Identity 
> Provider for basic Shibboleth authentication?   
>   
> OCLC requires the eduPersonEntitlement attribute to specify which
> FirstSearch authorization to use. The entitlement string value to
> configure is urn:mace:oclc.org:FirstSearchAuthorziation 
> 
>   2. What additional services, if any, do you provide through
> Shibboleth beyond basic login, for example, personalization. If you
> do provide additional services, what is required to enable them?  
>   
> Just authentication. 
> 
>   3. Do you support "WAYFless" access, that is, access
that does not
> require a user to identify where they are from in order to reach his
> or her local authentication system? 
>   
>  No, but we have had multiple libraries request a WAYFless URL.
 I 
> am trying to obtain a status as to when this feature may be supported.
  
> 
>   4. Do you support direct Shibboleth-authenticated links to
resources?   
>   
> I am still trying find out this information. Could you please 
> clarify what is meant by this question? 
> 
>   5. Who should libraries contact if they want to set up Shibboleth
> access to your site or if they have questions or problems? 
>   
> Setup –  
> Support –  
> Technical resources will be consulted as necessary. 
>   
> Jason Zavar
> Product Manager, EZproxy
> OCLC, Online Computer Library Center, Inc.
> 6565 Kilgour Place -- MC431
> Dublin, Ohio 43017
> 800-848-5878 ext. 5195
>  
>   
>   
>   
> From: David Kennedy []
> Sent: Thursday, July 09, 2009 9:34 AM
> To: Hamparian,Don; Zavar,Jason; Shibboleth
> Cc: 
> Subject: OCLC and InCommon Library Services Collaboration 
>   
> 
> Don, Jason, et al. 
> 
> I am writing you on behalf of the InCommon Library Services Collaboration.
> 
> We represent a group of research libraries who are working to expand
> the use of Shibboleth among members of the InCommon federation. As
> part of that effort, we are gathering information from vendors about
> how they have implemented Shibboleth. By making this information 
> more accessible, we hope to make it easier for libraries to use the
> technology. We also would like to help develop common practices 
> among vendors that would simplify the implementation process for 
> everyone involved and make Shibboleth an attractive option for users.
> 
> We think that expanding the use of Shibboleth will help you in various
ways: 
> 
>   1. Provide a more secure means of access than IP authentication.
>   2. Provide better tools for identifying who is responsible
when 
> breaches occur. 
>   3. Make it possible for users to take advantage of personalized
> features on a site without requiring them to open a local account
> maintained by the vendor. 
>   4. Help to start moving away from IP-based authentication and
the 
> overhead it requires. 
> 
> We ask that you answer the following questions, as they relate to
> your products and services: 
> 
>   1. What are the minimum attributes you require from an Identity
> Provider for basic Shibboleth authentication? 
>   2. What additional services, if any, do you provide through
> Shibboleth beyond basic login, for example, personalization. If you
> do provide additional services, what is required to enable them? 
>   3. Do you support "WAYFless" access, that is, access
that does not
> require a user to identify where they are from in order to reach his
> or her local authentication system? 
>   4. Do you support direct Shibboleth-authenticated links to
resources? 
>   5. Who should libraries contact if they want to set up Shibboleth
> access to your site or if they have questions or problems? 
> 
> We appreciate your willingness to help us in this effort. 
> 
> David Kennedy, Duke University 
> Adam Chandler, Cornell University 
> Andy Ingham, University of North Carolina, Chapel Hill 
> Jonathan Lavigne, Stanford University 
> Kent Percival, University of Guelph 
> Joy Veronneau, Cornell University 
> Jason Zavar, OCLC 
> Fred Zhang, Michigan State University 
> Foster Zhang, Johns Hopkins University 
> 
> [please send response email to ]
> 
> -----
> David Kennedy
> Systems Programmer
> Perkins Library, Duke University
> (919) 613-6831
>