InCommon Library Services

["Kent Percival" <>]

Steve,

My interpretation of the points that you and Rich raise about Authorization come from a conceptual model of the roles of components of federated access.

·         The user’s home Identity Provider is responsible for the Authentication step using local credentials.

·         The application Service Provider includes a policy manager responsible for Authorization.  Besides authorizing the session, the policy manager may be queried by application components periodically for further authorization.

·         In order to implement authorization policies, the policy manager has the Service Provider request data (attributes) from the Identity Provider – the release of that information is controlled by privacy policies in the Identity Provider.

I’m not questioning the current discussion, but reacting to other discussions I’ve had where the service supplier wants to push Authorization decisions back to the Identity Provider. 

Rich is right … the Library can get out of the Authentication business but there needs to a “authorization policy manager” function associated with the EZproxy side.  When a user accesses a restricted URL, that policy manager would be consulted.  To me, the “front-end” part of EZproxy that Steve describes is part of the policy manager.  Is that where we need to focus the development?

 

....Kent

 _