InC-Lib-Vendor

[David Kennedy <>]

-----
David Kennedy
Application Developer
Perkins Library, Duke University
(919) 613-6831

----- Forwarded by David
Kennedy/Libraries/Provost/Academic/Univ/Duke on 09/18/2009 01:28 PM -----

From:	"Zavar,Jason" <>
To:	"David Kennedy" <>
Cc:	"Hamparian,Don" <>, "Dale,Andy" <>
Date:	09/14/2009 11:01 AM
Subject:	RE: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services Collaboration

---

David,
 
OCLC Product Management and Development
are meeting within the week to prioritize and set dates for Identity Management
(IDM) related activities on the WorldCat Platform.  We plan to have
Shibboleth support by end of calendar year 2009 and will confirm and set
a more accurate date after that meeting.
 
We do not plan to invest in the First
Search platform IDM infrastructure as it will be replaced by the new infrastructure.

 
There should be no (or at least limited)
cause for worry. We have a direction for our Shibboleth users to a more
comprehensive solution.
 
Jason
 
From: David Kennedy []
Sent: Tuesday, September 01, 2009 5:02 PM
To: Zavar,Jason
Cc: ; Shibboleth
Subject: RE: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services
Collaboration
 
> I reached out to my colleague,
Andy Dale and he provided some 
> additional comments. See below.
>   
> >> Is the urn:mace:dir:entitlement:common-lib-terms  an
attribute 
> value that OCLC would consider accepting?
> Absolutely YES – We need to collect more information like this email
> and understand what our members and customers need. We will go to
> considerable effort to reduce barriers to access library resources
> and services. If this is a barrier; we will remove it.

Jason, 

Can you provide an update on the above?  Is there a timeline for FirstSearch
to use the standard common-lib-terms eduPersonEntitlement value instead
of the OCLC-specific value?

Thanks 
Dave 


-----
David Kennedy
Application Developer
Perkins Library, Duke University
(919) 613-6831
 

"Zavar,Jason" <> wrote on 07/20/2009 04:22:03
PM:

> From: 
> 
> "Zavar,Jason" <>
> 
> To: 
> 
> "David Kennedy" <>
> 
> Cc: 
> 
> <>, "Shibboleth"
<>
> 
> Date: 
> 
> 07/20/2009 04:22 PM 
> 
> Subject: 
> 
> RE: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services Collaboration
> 
> David, 
>   
> I reached out to my colleague, Andy Dale and he provided some 
> additional comments. See below.
>   
> >> Is the urn:mace:dir:entitlement:common-lib-terms  an
attribute 
> value that OCLC would consider accepting?
> Absolutely YES – We need to collect more information like this email
> and understand what our members and customers need. We will go to
> considerable effort to reduce barriers to access library resources
> and services. If this is a barrier; we will remove it.
>   
> >> Do we Support direct authenticated links to resources as
> described by David? 
> I am still trying to determine what the exact state of this is at
> OCLC. I know we can do this with EZProxy but I have no idea if 
> FirstSearch provides this functionality. The new infrastructure that
> is being built is designed to support this behavior so as we move
> our products and services to the new IDM infrastructure we will get
> more coverage for this. 
>   
> I’ll see if I can find out if FirstSearch provides this 
> functionality – direct authenticated links.
> Jason Zavar
> Product Manager, EZproxy
> OCLC, Online Computer Library Center, Inc.
> 6565 Kilgour Place -- MC431
> Dublin, Ohio 43017
> 800-848-5878 ext. 5195
>  
>   
>   
>   
> From: David Kennedy []
> Sent: Friday, July 17, 2009 10:56 AM
> To: Zavar,Jason
> Cc: ; Shibboleth
> Subject: Re: [InC-Lib-Vendor] RE: OCLC and InCommon Library Services
> Collaboration 
>   
> 
> Jason, 
> 
> Thank you for your response.  I have a follow-up question for
you, 
> and will try to shed some light on your question. 
> 
> Have you received any feedback on your use of eduPersonEntitlement?
> The reason I am asking is that, in Duke's case, our OIT runs our 
> Shibboleth Identity Provider.  And they don't necessarily want
to be
> configuring different values for a particular attribute for 
> different service providers.  They currently make their policies
> across the InCommon Federation as a single attribute release policy.
> So, they would like one policy that appropriately releases 
> eduPersonEntitlement with the common-lib-terms attribute to all 
> InCommon service providers.  I don't know, but imagine other
> institutions identity providers would be pretty much in the same 
> boat on this.  Is the urn:mace:dir:entitlement:common-lib-terms
 an 
> attribute value that OCLC would consider accepting? 
> 
> In response to your question, direct linking to resources are 
> basically persistent URLs directly to resources, as opposed to URLs
> just to search screens.  Our question is whether or not there
is a 
> way to craft persistent URLs to resources, such that the URLs to 
> these resources are WAYFless. 
> So, for instance, if you had a resource that lived at: 
> http://firstsearch.oclc.org/resources/foo
> and you had a WAYFless URL syntax that made use of a 
> SessionInitiator that lived at: 
> https://firstsearch.oclc.org/Shib/SessionInitiator
> then direct Shibboleth-authenticated links to resources would look
> something like this for duke: 
> https://firstsearch.oclc.org/Shib/SessionInitiator?
> providerId=urn:mace:incommon:duke.edu&target=http://
> firstsearch.oclc.org/resources/foo 
> 
> This feature is very desirable for libraries, because we have the
> ability to craft these URLs from our own systems (link resolvers,
> course home pages, metalib, etc) (by sending them through ezproxy
> and using SPUEdit directives) in order that end users can experience
> authenticated access directly to resources. 
> 
> Dave 
> 
> -----
> David Kennedy
> Systems Programmer
> Perkins Library, Duke University
> (919) 613-6831
>  

> 
> "Zavar,Jason" <> 
> 07/17/2009 10:08 AM 
> 
> To 
> 
> "David Kennedy" <> 
> 
> cc 
> 
> <>, "Shibboleth"
<> 
> 
> Subject 
> 
> [InC-Lib-Vendor] RE: OCLC and InCommon Library Services Collaboration
> 
>   
> 
> 
> 
> 
> David, 
>   
> Sorry for my delay in responding. Please see the responses from OCLC
below. 
>   
>    1. What are the minimum attributes you require from an
Identity 
> Provider for basic Shibboleth authentication?   
>   
> OCLC requires the eduPersonEntitlement attribute to specify which
> FirstSearch authorization to use. The entitlement string value to
> configure is urn:mace:oclc.org:FirstSearchAuthorziation 
> 
>   2. What additional services, if any, do you provide through
> Shibboleth beyond basic login, for example, personalization. If you
> do provide additional services, what is required to enable them?  
>   
> Just authentication. 
> 
>   3. Do you support "WAYFless" access, that is, access
that does not
> require a user to identify where they are from in order to reach his
> or her local authentication system? 
>   
>  No, but we have had multiple libraries request a WAYFless URL.
 I 
> am trying to obtain a status as to when this feature may be supported.
  
> 
>   4. Do you support direct Shibboleth-authenticated links to
resources?   
>   
> I am still trying find out this information. Could you please 
> clarify what is meant by this question? 
> 
>   5. Who should libraries contact if they want to set up Shibboleth
> access to your site or if they have questions or problems? 
>   
> Setup –  
> Support –  
> Technical resources will be consulted as necessary. 
>   
> Jason Zavar
> Product Manager, EZproxy
> OCLC, Online Computer Library Center, Inc.
> 6565 Kilgour Place -- MC431
> Dublin, Ohio 43017
> 800-848-5878 ext. 5195
>  
>   
>   
>   
> From: David Kennedy []
> Sent: Thursday, July 09, 2009 9:34 AM
> To: Hamparian,Don; Zavar,Jason; Shibboleth
> Cc: 
> Subject: OCLC and InCommon Library Services Collaboration 
>   
> 
> Don, Jason, et al. 
> 
> I am writing you on behalf of the InCommon Library Services Collaboration.
> 
> We represent a group of research libraries who are working to expand
> the use of Shibboleth among members of the InCommon federation. As
> part of that effort, we are gathering information from vendors about
> how they have implemented Shibboleth. By making this information 
> more accessible, we hope to make it easier for libraries to use the
> technology. We also would like to help develop common practices 
> among vendors that would simplify the implementation process for 
> everyone involved and make Shibboleth an attractive option for users.
> 
> We think that expanding the use of Shibboleth will help you in various
ways: 
> 
>   1. Provide a more secure means of access than IP authentication.
>   2. Provide better tools for identifying who is responsible
when 
> breaches occur. 
>   3. Make it possible for users to take advantage of personalized
> features on a site without requiring them to open a local account
> maintained by the vendor. 
>   4. Help to start moving away from IP-based authentication and
the 
> overhead it requires. 
> 
> We ask that you answer the following questions, as they relate to
> your products and services: 
> 
>   1. What are the minimum attributes you require from an Identity
> Provider for basic Shibboleth authentication? 
>   2. What additional services, if any, do you provide through
> Shibboleth beyond basic login, for example, personalization. If you
> do provide additional services, what is required to enable them? 
>   3. Do you support "WAYFless" access, that is, access
that does not
> require a user to identify where they are from in order to reach his
> or her local authentication system? 
>   4. Do you support direct Shibboleth-authenticated links to
resources? 
>   5. Who should libraries contact if they want to set up Shibboleth
> access to your site or if they have questions or problems? 
> 
> We appreciate your willingness to help us in this effort. 
> 
> David Kennedy, Duke University 
> Adam Chandler, Cornell University 
> Andy Ingham, University of North Carolina, Chapel Hill 
> Jonathan Lavigne, Stanford University 
> Kent Percival, University of Guelph 
> Joy Veronneau, Cornell University 
> Jason Zavar, OCLC 
> Fred Zhang, Michigan State University 
> Foster Zhang, Johns Hopkins University 
> 
> [please send response email to ]
> 
> -----
> David Kennedy
> Systems Programmer
> Perkins Library, Duke University
> (919) 613-6831
>