InCommon Library Services

[Dean Woodbeck <>]

InCommon Library Services Working Group
Draft Minutes
May 4, 2007
 
Steven Carmody, Brown University (chair)
Joy Veronneau, Cornell University
Adam Chandler, Cornell University
Janis Mathewson, Penn State University
Lynn Garrison, Penn State University
Mairead Martin, Penn State University
Dave Kennedy, University of Maryland
Renee Shuey, Penn State University
Tod Olson, University of Chicago
Tom Barton, University of Chicago
Declan Fleming, University of California-San Diego
Matt Elder, University of California-San Diego
Harold Colson, University of California-San Diego
Holly Eggleston, University of California-San Diego
Ann West, Internet2
Dean Woodbeck, Internet2 (scribe)
 
**Action Items**
 
[AI] Steve Carmody will put a diagram and text on the wiki demonstrating the process used in a multi-federation world to get a user through a WAYF and one to a vendor site.

[AI] RL "Bob" Morgan will provide a short description of how the University of Washington library public access terminals handle walk-in users vs. those with UWNet IDs. He will place that on the wiki, along with a URL for the ID screen that users see.

**Holdover Action Items**

[AI] Adam from Cornell will keep a log of his experience as they implement EasyProxy and Shib.

[AI] Dave from Maryland will prepare a summary of his experience with EasyProxy/Shib.
 
**InCommon and Potential Service Providers**
 
The call started with a question about whether InCommon is taking any steps to attract vendors that are on the Athens list but have not joined InCommon. Given InCommon’s current self-definition, the federation will not take steps to contact these vendors. It is up to campus identity providers (IdPs) to sponsor potential service providers (SPs) for InCommon participation. It was suggested that this group might ask InCommon about whether that role should change. There may be some value in having InCommon provide an organized way to approach potential SPs.
 
It may also be useful to identify and approach vendors that have implemented Shibboleth for other federations (such as UK or Germany, for example). Once a vendor has implemented Shib, it is a very easy process for them to federate with InCommon.
 
Steve Carmody mentioned that the UK federation has hired Jane Charleton to contact and visit vendors to make the business case for federating. He and Ann West have talked with her and will coordinate efforts, as appropriate.
 
**EZproxy**
 
Note: wiki address: https://spaces.internet2.edu/display/inclibrary/
 
EZproxy works by dynamically altering the URLs within the web pages provided by the database vendor. The server names within the URLs of these web pages are changed to reflect the EZproxy server instead, causing your users to return to the EZproxy server as they access links on these web pages.
 
Tod Olson and Tom Barton have posted a document on the wiki describing how Chicago uses EZproxy. There was a general discussion about whether EZproxy and Shibboleth can work together for single sign-on with different vendors during the same user session. This would mean that users would not need to go through a WAYF process multiple times if they are going to the sites of different vendors.
 
The typical flow might be:

1. User goes to a library navigation page and clicks on ScienceDirect
2. User taken to EZproxy, which determines that Science Direct is Shib-enabled
3. User taken to Science Direct site with enough attribute info that Science Direct will open a session without an authentication process

 
As an alternate, what if the user goes through this process to get to Vendor A and they now want to visit Vendor B? Will they need to authenticate again? In a perfect world, the user would not need to authenticate again. Some proxies that use Shibboleth code will allow this to happen. But in a multi-federation world, multiple authentications may take place, depending on the federation being used and the IdP and SP involved. Steve will post a diagram and text on the wiki demonstrating how it works (https://spaces.internet2.edu/display/inclibrary)
 
Several institutions on the conference call have experience with EZproxy and find that is minimal maintenance each month. The EZproxy method of altering URLs can make things difficult for people who populate pages with direct URLs and also for journal web citations. Chicago has created an applet that will route such pages through the EZproxy server when the user is off-campus.
 
Adam mentioned that ProQuest has worked with students and found that students generally don’t understand how proxies work, so many end up going outside of the library’s resources to write their papers.
 
There was a general conversation about how people are accessing resources. More and more, university faculty, staff and students are not physically in the library when they want to use the resources – they may be at home or in a university office. If someone wants to access JStore directly from home, for example, they will go through a WAYF because they are not arriving at JStore through the university. If they are already logged in with their university ID, however, they should not need to authenticate again. 
 
 
**Library Walk-ins**
 
Many campuses, especially public universities, allow community members to use their facilities and resources. Some schools have a set of public access terminals to provide anyone with access to licensed resources. In other cases, users receive an ID and password and the library staff changes the password daily. A third scenario is a walk-in with an ID from a vendor or with a campus ID.
 
Most on the call agreed that they would like one access system, rather than maintaining a Shib installation and an IP based proxy system, for example. Jim Fox at the University of Washington developed a plug-in to Apache that is fed with a set of IP addresses. If a browser comes in from that range, the user is authenticated. There was a discussion of using this method with public access terminals and associate a set of attributes with a generic ID. However, there must also be a way for people to log in with their own IDs, if they are a member of the university community.
 
Bob Morgan said that the University of Washington had a debate about whether this generic ID concept should always be the case on a public terminal. Right now, someone with a UW Net ID can log in with their own ID. [AI] He will put a short description of the UW process on the wiki.
 
**Next phone call** is Friday, May 18, at 12:30 p.m. (EDT)