InCommon Library Services

["David Kennedy" <>]

Steven,

Thank you for setting this up.  I am still uncomfortable with our group 
focusing so much on mod_auth_location as a solution.  I understand that one 
of our goals is to "sell" shibboleth to libraries.  And I understand that 
mod_auth_location helps with the IP address management problem, but it does 
so by degrading the user experience to less than what we have today.  I 
don't think that library administrators are going to get excited about this 
tradeoff.

On the other hand, our group has done some valuable work with ezproxy.  I 
think we should be promoting the hell out of this tool.

To be honest, I can't make a strong argument for selling shibboleth to 
libraries, except that it is the most elegant single sign on solution.  That 
was a strong enough argument for us to implement shibboleth.  But, I do not 
see shibboleth as a complete access management solution for online 
resources.  Ezproxy already does a better job than shibboleth can do on its 
own.

Dave

----------------------
David Kennedy
Applications Developer
USMAI Libraries
McKeldin Library
College Park, MD 20742

(301) 405-9051
(301) 314-9865 (fax)
----- Original Message ----- 
From: <>
To: <>
Sent: Tuesday, October 30, 2007 11:17 AM
Subject: [inc-librsvcs] sample use of mod_auth_location


> OK, this is *really really* crude..... but I hope that (for now) its 
> enough to give people a sense of what this would look like.... in the real 
> world, this would be configured to protect EBSCO, or some other 
> provider....
>
> To try it, go here:
>
> https://sp.testshib.org/
>
> paste this string into the text box:
> https://stc-test2.cis.brown.edu/shibboleth/testshib/idp
>
> and hit enter....
>
> You should see a page saying:
>
> > Be guest
> >
> > Be yourself
>
> (I told you its *extremely* crude, didn't I?  ;-)  ).
>
> If you click "Be guest", you'll be taken to a page that dumps out all of 
> the received attributes. Look for "Shib-EP-PrincipalName is: 
> ". That's the userid that's used for guests (note 
> that the browser user *never* enters this value.)
>
> If you click "Be yourself", you'll be presented with a Basic 
> Authentication login dialog -- type in Test_User017 (pass = elsevier1 ). 
> This time, you'll see "Shib-EP-PrincipalName is: ".
>
> NOTE: a site can configure the Be guest/Be yourself page to match local 
> standards; for this initial demo, I'm using the default page (which, 
> clearly, is extremely simple).
>
> So, how does this work? I've added these lines to my apache config fle:
>
> > ## AuthLocationDefineLocation cox       68.9.253.1-206
> > AuthLocationDefineLocation cox          *.*.*.*
> >
> > AuthLocationDefineApplication testshib 
> > providerId=https%3A%2F%2Fsp.testshib.org QS
> > ## AuthLocationRequireAnonymous testshib cox Test_User016
> > AuthLocationPermitAnonymous testshib cox Test_User016
>
> the AuthLocationDefineLocation directive associates a label ("cox") with a 
> browser IP address (I was initially testing from home; I've now changed it 
> to match any address on the internet)
>
> the AuthLocationDefineApplication directive associates a label 
> ("testshib") with a string that will be found somewhere in the incoming 
> url.
>
> the AuthLocationRequireAnonymous directive (commented out) says "browsers 
> coming from location cox and accessing application testshib should ALWAYS 
> be automatically authenticated as Test_User016".
>
> The AuthLocationPermitAnonymous directive (currently in use) says "ask the 
> user whether they want to be a guest or themselves; if they want to be a 
> guest, automatically authenticate them as Test_User016".
>
> So, how does this really work? The browser user is trying to access a 
> Shib-enabled Service Provider. In this case, it happens to be a test site. 
> However, it could just as easily be Elsevier or EBSCO (except I don't want 
> to open those sites up to *everyone* on the Internet!). This test SP 
> redirects me back to my IdP (you pasted the identifier for that IdP into 
> that web page). You arrive at my test IdP with this url:
>
> https://stc-test2.cis.brown.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.testshib.org%2FShibboleth.sso%2FSAML%2FPOST&time=1193756793&target=cookie&providerId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth%2Ftestshib%2Fsp
>
> one of the parameters on this url tells my IdP where to redirect me after 
> I've authenticated. I've configured mod_auth_location to pattern match 
> against this url string. It matches this value -- 
> "providerId=https%3A%2F%2Fsp.testshib.org" -- and pops up the "Be guest/Be 
> yourself" page.
>
> Is this what people expected?
>
> And yes, once there's consensus that this approach could work for 
> campuses, we can make a somewhat prettier demo!