Hi, Keith. Thanks for today's program. I just want to reiterate my
interest in an overview diagram for the Wisc Federation - especially in
regard to a local authentication server's interaction with the
attribute server for a given web service. Also, I'm curious as to how
you handle the possibility of duplicate identities, i.e. a staff or
student that has different logins for different campuses but needs
access to their complete set of 'central' data.
Joseph Giroux
Calif. Comm. Colleges
On 3/17/2010 11:50 AM, Keith Hazelton wrote:
"
type="cite">The MONK Project provides access to a large corpus of
digitized texts for faculty, staff and students of CIC institutions.
All CIC institutions have become InCommon members, so each CIC campus
Shib IdP can provide access to MONK's Shibbed online system.
This document is the introduction to the terms of service sent
to the CIC member institution librarians.
_______________________
Begin forwarded message:
From:
"Michael A.
Grady" <>
Date:
January 12, 2010
11:40:50 CST
To:
Subject:
Fwd: Arranging
for access to the MONK tools for your campus
Reply-To:
"Michael A.
Grady" <>
FYI, I just sent the following note to the mailing list that
was created for the Library representatives identified to be "local
champions/advocates" for MONK.
Begin forwarded message:
From: "Michael A. Grady" <>
Date: January 12, 2010 11:13:07 AM CST
To:
Subject: Arranging for access to the MONK
tools for your campus
I understand that there has been some
confusion about exactly what you are being asked to do as far as
helping to arrange for access to the MONK tools for your campus, and
exactly what needs to happen to do so. I'd like to at least try to
start clearing up that confusion, and also see if this group would find
it useful to have a phone call conference with me to answer any and all
questions.
Access to the CIC-targeted MONK service is
being controlled through the use of Shibboleth. MONK has been
configured to allow any current faculty, staff or student at any of the
CIC institutions to be allowed access to the CIC Monk service. So, in
order for MONK to make an appropriate authorization decision, it needs
to know if the "person on the other end" is indeed faculty, staff or
student at one of the CIC institutions. And, in order to properly
manage user support and access to the MONK tools, MONK needs the user's
name and email address in addition to knowing that the person is
currently affiliated with one of the CIC schools.
But it is very important to understand that
Shibboleth delivers this information when and ONLY when a specific user
tries to access the CIC MONK service, and only at the moment they try
to access it. Yes, the MONK Workbench tools will create a "local
account" on the MONK server, linked to the user's federated identity,
the first time a given user accesses the MONK Workbench tools, but that
"local account" creation will occur dynamically -- only when a given
user accesses the Workbench for the first time. There is absolutely no
need for a "data dump" from each campus that identifies their eligible
individuals to use MONK -- avoiding things like that is exactly one
reason why Shibboleth was created in the first place.
So, to reiterate, the only way MONK wants
to get information on a user is if that user:
- actually chooses to try and get into the
CIC MONK service
- at the moment they do so
- and only thru the mechanism of Shibboleth
passing these attributes as part of their authentication
- and only after they have been given the
opportunity to view the "Terms, Conditions And Privacy Policy" for the
MONK service
So what exactly ARE we asking you to do? We
are asking that you work with your local CIC Identity Management (IdM)
representatives, the folks on your campus who are in charge of your
Shibboleth Identity Provider (IdP) service, to arrange for your
Shibboleth IdP to be configured to allow release of the necessary
attributes to the MONK service. And the reason we need your involvement
is that, at least at most of our campuses, the folks actually running
the Shib service that need to make the configuration change are NOT
authorized to do so unless someone convinces the "data owners" on your
campus to allow it. Those "data owners" typically being offices like
your HR office and your Registrar's office. Those data owners will
typically ask:
- "who on our campus would want to use this
service and why"
- how will any information released to this
service be used, protected and will it be kept private?
And the IdM folks on your campus need your
involvement to answer at least that first question for the data owners.
We hope the second question can be answered in a satisfactory way for
the "data owners" by making them aware of the following MONK page (that
will be made known to every user at least the first time they access
MONK, and always be available for perusal):
https://monk.library.illinois.edu/cic/public/terms/index.html
detailing the Terms, Conditions And Privacy
Policy under which the CIC-targeted MONK service is being operated by
the University of Illinois Library.
My plan is to follow up this note with an
email message sent to each "set of campus representatives", the
specific IdM reps and Library rep for each campus, basically
re-iterating what we/MONK are asking for and the specific attributes we
are asking for, and asking you to work together to get permission on
your campus for your local Shib IdP to be configured to release those
attributes.
Again, if this group thinks that a quick
conference call might help to make everything clearer for everyone, I'd
be happy to ask the CIC staff to arrange such for us.
p.s. Illinois and Iowa are already set for
MONK, so nothing more needs to be done regarding Shib IdP configuration
at those institutions.
--
Michael A. Grady
Executive Program Officer for
Cyberinfrastructure
Office of the CIO, University of Illinois
at Urbana-Champaign
2222 DCL, MC 256, 1304 W. Springfield Ave.,
Urbana, IL 61801
217.244.1253 phone, 217.244.4780 fax
--
Michael A. Grady
Executive Program Officer for Cyberinfrastructure
Office of the CIO, University of Illinois at Urbana-Champaign
2222 DCL, MC 256, 1304 W. Springfield Ave., Urbana, IL 61801
217.244.1253 phone, 217.244.4780 fax
|
