inc-librsvcs - Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth
Subject: InCommon Library Services
List archive
- From: Rich Wenger <>
- To:
- Cc: inc-librsvcs <>
- Subject: Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth
- Date: Thu, 02 Apr 2009 16:51:03 -0400
wrote:
I think of EZP as having two parts: a front-end and a proxy.One function that complicates this scenario a bit is when EZP is being used to automate logins. We still have some
The front-end includes this sequence of steps:
-- a way to configure whether the destination is shib-enabled or not. If the destination is shib-enabled, the user is forwarded there directly, bypassing the proxy.
-- if the browser user is coming from an on-campus network, they are forwarded directly to the destination.
-- if the browser user is coming from off-campus, they are redirected to the proxy.
benighted vendors who insist on using a single user and password for all access to their content. For many years we
simply displayed a page that listed the id and password, a message asking the patron not to tell anybody, and a
'Continue' button. It would be simpler and as secure to post the credentials on our public web page.
I have been migrating as many of those as possible into EZP and using FormVariable and Find/Replace
directives to perform the login wherever possible. This function needs to be driven for everyone, but after the login
there is no need to continue proxying the session. I have yet to find adequate documentation for these directives
and their interaction with other directives.
In addition, the front-end includes some sort of authorization mechanism. The site manager can define groups within EZP (can the groups be defined in ldap?), and can then create rules such as "only members of Group X can access Resource Y". I'm not sure where the authZ processing occurs in the sequence of front end processing.The difficulty with this is the need to maintain static lists of all authorized people, an impossible job because of the
large numbers of patrons and the frequent changes. I think we need the inverse; a way to confirm dynamically whether
or not the current patron is authorized, and to indicate success or failure to EZP for subsequent appropriate action.
Rich Wenger
- a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/02/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Rich Wenger, 04/02/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, David Kennedy, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, John M. Kiser, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, David Kennedy, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
- Message not available
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Paul B. Hill, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Tobias J Kreidl, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, David Kennedy, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Paul B. Hill, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Paul B. Hill, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
Archive powered by MHonArc 2.6.16.