inc-librsvcs - Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth
Subject: InCommon Library Services
List archive
- From: Tobias J Kreidl <>
- To: inc-librsvcs <>
- Subject: Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth
- Date: Fri, 3 Apr 2009 08:45:34 -0700
That's where a VPN can come in handy. You can restrict who comes in
from a specific IP address before you even hit the proxy server and
depending on the IP addresses of the VPN, you can branch in EZProxy
accordingly. Furthermore, there's no reason not to run multiple
instances of EZproxy, each configured to proxy differently, based on
different originating IP address rules.
We have the same issue with mobile devices and email access. At some
point, you have to give up and decide you either let everyone in from
such a network or conversely, everyone coming in from, say Verizon, has
to authenticate before going and further because you have no simple way
of knowing who they really are and where their connections originate.
--Tobias
Paul B. Hill wrote:
>> 3) if the user is coming from a specified set of IP address ranges, send
>> the user directly to the resource
>>
>
> From what I have heard, correctly configuring EZProxy for that case can
> actually be problematic.
>
> One of my co-workers recently pointed out the following problem. His
> town library uses EZProxy, as does MIT. His town library system prompts
> him for his library card number. From home, via the town library, he
> gets access to some material that MIT does not license. When he is on
> campus, he goes to the town library URL and enters his library card
> number. However, he ends up with the same access that he would have if
> he had started off at the MIT Library site. In other words, while on
> campus there are actually some resources that he cannot access.
>
> From home, he can access all of the resources that MIT provides access
> to, because he authenticates to the MIT Library system using a certificate.
>
> An increasing number of people in our campus populations use mobile
> devices that have wide area networking enabled, and hence are using an
> external carrier such as AT&T or Verizon. At what point do we say that
> access policy based on an IP address range is a waste of time and
> resources?
>
> Paul
>
>
- a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/02/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Rich Wenger, 04/02/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, David Kennedy, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, John M. Kiser, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, David Kennedy, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
- Message not available
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Paul B. Hill, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Tobias J Kreidl, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, David Kennedy, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Paul B. Hill, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Paul B. Hill, 04/03/2009
- Re: [inc-librsvcs] a model for integrating EZProxy and Shibboleth, Steven_Carmody, 04/03/2009
Archive powered by MHonArc 2.6.16.