InCommon Library Services

[Dean Woodbeck <>]

Here is a draft of minutes for the May 18 conference call. Please send any changes to me at .

--Dean



InCommon Library Services Working Group
Draft Minutes
May 18, 2007
 
Steven Carmody, Brown University (chair)
Tod Olson, University of Chicago
Lisa German, Penn State University
Gabe Lawrence, University of California-San Diego
Luc Declerck, University of California-San Diego
Janis Mathewson, Penn State University
Dave Kennedy, University of Maryland
Tom Barton, University of Chicago
Renee Shuey, Penn State University
Laura Ruble, University of Maryland
Joy Veronneau, Cornell
Adam Chandler, Cornell
Holly Eggleston, University of California-San Diego
Ann West, Internet2
Renee Frost, Internet2
Dean Woodbeck, Internet2
 
**Action Items**
 
[AI] {Steve Carmody} will follow-up with Bob Morgan on the AI from last call: [AI] {RL "Bob" Morgan} will provide a short description of how the University of Washington library public access terminals handle walk-in users vs. those with UWNet IDs. He will place that on the wiki, along with a URL for the ID screen that users see.

[AI] {Luc Declerck} will search for the list of library vendors that were apparently not able to use EZProxy in their dealings with the University of California (this is a couple of years old). If/when he finds it, he will post to the email list.

[AI] {Steve Carmody} will set up a call with the EZProxy developer, Chris, to discuss features for the next version. Dave Kennedy, Tom Barton, Lynn Garrison (possibly) and Tod Olson will be on the call. Steve will post a note to the email list inviting others to join the call.

[AI] {Steve Carmody} will clean up information on the wiki and send a note to the list when finished.


**Discussion of Walk-in Library Users**
 
There was a discussion about whether the focus on walk-in users should be a priority. The rationale is that SPs supporting Shibboleth will also continue to support IP authorization, since not all IdPs will be Shib-enabled. Shibbolizing the entire library community will take some time. Shib will allow better access to remote users, but IP authorization can continue to support on-campus users.
 
However, many vendors are interested in micro-licensing – providing their resources to a sub-set of the university community (faculty from a certain college or school, for example). Offering this service requires a way to pass attributes, rather than just checking IP addresses. Faculty, staff and students using public access terminals at a library will also need to have attributes passed along in order to take advantage of micro-licenses or any personalization offered by an SP.
 
From a support standpoint, having only one method for authentication would mean fewer troubleshooting issues and fewer support and maintenance issues.
 
**Integration of EZProxy and Shibboleth**
 
Chicago, Maryland and Cornell have posted their campus experiences with integrating EZProxy and Shib on the wiki (https://spaces.internet2.edu/display/inclibrary/). A question was raised about whether some vendors are unable to work with EZProxy. Among the three institutions mentioned here, only one vendor has not been able to accommodate EZProxy and this vendor is working to resolve that situation. There is also very good support from the EZProxy web site and email list.
 
Luc Declerck thought the University of California had encountered a number of vendors a couple of years ago that were not able to accommodate EZProxy. Others on the call had not experienced any difficulties with vendor acceptance of EXProxy. [AI] {Luc} will look for that list and, if found, post it to the email list.
 
**SFX and EZProxy**
 
Steve Carmody reviewed the user flow for using SFX and EZProxy (this is posted on the wiki). He described a note from Scott Cantor, suggesting that EZProxy have the ability to redirect the user to a Session Initiator at the SP with parameters indicating the IdP and the deep link URL. This would bypass WAYF processing, return the browser user to the IdP for authentication, then direct the browser to the deep link. If the user has already established a session with Shibboleth, the user would see redirection, but would not need to do anything.
 
The Session Initiator is also used for “lazy sessions.” A user can enter as a guest and navigate through a site until hitting an area that is licensed. At that point, the SP would trigger Shibboleth inside the session, which is done with Session Initiator. The question is whether it would be useful for EZProxy to do this at the campus level. Chris Zagar is working on an update for EZProxy, due out this summer. If using a Session Initiator looks like a reasonable approach, this group should talk with Chris about the upcoming EZProxy release.
 
Steve suggested inviting Chris Zagar to have a conversation with a subset of those on the phone call. Dave Kennedy, Tom Barton and Tod Olson expressed an interest and Renee Shuey said that Lynn Garrison from Penn State may also be interested. In addition [AI] {Steve Carmody} will send a note to the email list, letting others know of this opportunity. His goal is to start this conversation the week of May 21 and have closure before the next call.
 
**Managing Attribute Releases**
 
Steve reviewed that Shibboleth currently uses a site-wide attribute release policy files used to manage attribute release. Shib can also be configured to create files that apply to individual users. However, there are no GUI tools to edit these files. The upcoming Shib release will provide some GUI tools to manage site-wide files and a GUI tool to manage user and group attribute release policies. Examples of “groups” are departments, a set of researchers, research groups, or a subset of faculty and/or students (such as medical school or law school faculty).
 
It will be up to each campus to decide how widely to deploy these GUI tools. Examples of choices include providing access to a core set of IT/library people, to a trusted set of people in departments, or to the entire community. Campuses will also need to work with each licensed service provider to determine how to set and manage policies. IdPs will also need to determine which attributes to release to different SPs, and which attributes (if any) users are allowed to release to different SPs.
 
Gabe Lawrence reported that UCSD is currently working on tools within Shibboleth to manage some of these attribute release questions. As an example, the library will be able to create and manage the release policies for library-related SP resources. Through a user interface, for example, someone can define the attributes provided to Science Direct.
 
Renee Shuey said that, at the start of their library/Shib project, Penn State will continue to manage attribute release centrally. That is also the situation at the University of Chicago. Once the pilot has operated for awhile, Penn State may look at deploying some attribute management tools to others.
 
Steve said he has talked with all of the Shib-enabled library vendors and implementation teams, as well as to many who are still in the development stage. Just about all of them are using what he terms the “standard US license,” meaning licensed resources are available to faculty, staff, students and library walk-ins. There are some situations where a college or professional school has licensed additional material for members of some group.
 
There is some variation on how these subgroups are defined. At some universities, they may have to be physically in the building. At others, being a faculty member or student within that subgroup may be sufficient.
 
Steve also said that most of the SPs are interested in a “targeted ID” attribute, which would be a persistent but opaque identifier. SPs would know that the person with this particular targeted ID has been to the site before, but would not know the true identify of the user. In this way, the SP can provide added value, such as a personalized portal or entry point, or allowing the user to save searches or results from one session to the next. The SP would also determine the number of unique users visiting its site and gather usage pattern information. They could also provide the opportunity for a user to provide an email address to receive information, such as a periodic newsletter.
 
A discussion of privacy concerns ensued. While universities may try to protect identities and anonymize users, many people will fill out any form that they encounter. IT security people need to balance privacy concerns with attribute releases that will enhance a user’s experience by providing personalization or value-added content.
 
Steve reported that western European federations have strong privacy requirements and continue to have a widespread adoption of Shibboleth. The Shib developers have received requests to include a web page in Shib 2.0 that provides a user with a checklist of attributes that can be released and allowing the user to make that authorization. A user could choose to release #1, #2 and #3, but not #4, #5, and #6, for example. There is a range of opinions on the trade-offs of functionality vs. privacy. Each individual has a different level of comfort. The Shib project aims at providing the tools and allowing campus IT staffs to make those decisions.
 
The likely roll-out of these tools would be to initially allow access to central IT staffs only. After the campus has some experience, the tools may be made available to some trusted groups, such as sysadmins within departments. Following that, campuses may deploy tools on a water basis, depending on their experience and need.
 
Steve also reported that the Shib project has a limited license for Blackboard’s learning management system to help with development of the next version of Shibboleth. Georgetown University will participate in a pilot project, adding more dynamic support between Shib and Blackboard.
 
Based on the conversations today, [AI] {Steve} will clean up the wiki page and send a note to the email list when that is completed.
 
**Next phone call** is Friday, June 1, at 12:30 p.m. (EDT)