Skip to Content.
Sympa Menu

inc-librsvcs - RE: [inc-librsvcs] Authentication plus authorization in EZproxy

Subject: InCommon Library Services

List archive

RE: [inc-librsvcs] Authentication plus authorization in EZproxy


Chronological Thread 
  • From: Foster Zhang <>
  • To: "Paul B. Hill" <>, David Kennedy <>
  • Cc: Rich Wenger <>, inc-librsvcs <>
  • Subject: RE: [inc-librsvcs] Authentication plus authorization in EZproxy
  • Date: Thu, 2 Apr 2009 21:25:25 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US
We have mapped user attribute (primary campus) from identity provider to
ezproxy group membership, and it worked fairly well for us.

Example in shib.usr file:
---
Test -re urn:mace:dir:attribute-def:eduPersonPrimaryCampus .*Bayview.*; Group
+BAYVIEW CAMPUS
Test -re urn:mace:dir:attribute-def:eduPersonPrimaryCampus .*Columbia.*;
Group +COLUMBIA CENTER
Test -re urn:mace:dir:attribute-def:eduPersonPrimaryCampus .*Downtown.*;
Group +DOWNTOWN CENTER
Test urn:mace:dir:attribute-def:eduPersonPrincipalName -scope
johnshopkins.edu fzhang14; Admin
MapUser urn:mace:dir:attribute-def:uid
---
Foster Zhang
JHU
-----Original Message-----
From: Paul B. Hill []
Sent: Thursday, April 02, 2009 6:48 PM
To: David Kennedy
Cc: Rich Wenger; inc-librsvcs
Subject: Re: [inc-librsvcs] Authentication plus authorization in EZproxy


> EZproxy, as a Shibboleth service provider, can consume user attributes
> that are supplied by the identity provider. And it can use those user
> attributes to assign users (or user sessions) to ezproxy "Groups".
>

In our case the authorization management cannot be determined directly
via the attributes released by the identity provider. As I understand
the current MIT EZproxy deployment, once the authentication has been
done Rich's system calls a SOAP web service to retrieve the
authorization information for the user.

Paul Hill
MIT Information Services and Technology

Archive powered by MHonArc 2.6.16.

Top of Page