John
The user's prefix was retrieved by a specific call made by the Athens
agent, so no fix for AthensDA was required. However, as I implied in my
previous reply, upgrading the agent alone is not always sufficient. For
example, many publishers store the AMS' organisational identifier
(whether it's an Athens prefix, Athens org_ID or Federation scope) in
their own customer record database/entitlement system. Database changes
are rarely trivial, so changes from one organisational identifier format
to another are unlikely to happen quickly, and in the transition from
prefixes to org_IDs, Eduserv rarely heard about them until after their
completion.
re: the Gateways' specification, I don't feel at liberty to discuss that
in a public forum, but if Nicole wants to do so, she is probably in a
better position to. What I can say is that they were designed to meet
the Athens implementation standards, and the non-compliant services do
not meet these standards.
As for Eduserv's efforts in this area, we are continuing to engage with
suppliers of non-gateway compliant services (in the last few months I
have visited the offices of both Westlaw and Lexis-Nexis, and had
ongoing dialogue with them subsequently). However, we have no leverage
over when they will implement gateway compliance; the commercial
imperatives are unique to each supplier and they will make what they
consider to be the appropriate judgment according to the requirements of
their clients.
Regards
Phil Leahy
Product Manager
Eduserv Athens
access management
_____
[log in to unmask]
tel: +44 (0)1225 474302
fax: +44 (0)1225 474332
http://www.eduserv.org.uk/athens/
_____
Eduserv Athens is a service of Eduserv Technologies Limited
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of John Paschoud
Sent: Thursday 8 March 2007 09:23
To: [log in to unmask]
Subject: Re: Anyone using Shibboleth for real? Non-Gateway-compliant
resources
> The term 'Athens-compliant' makes no distinction between
> classic Athens and AthensDA. All Athens-protected services
> are accessible via either method, and the version of the
> Athens agent used by service providers has no bearing on this.
Thanks for the clarification (and reminder), Phil.
> The reasons as to why some resources do not work with the
> gateway were also posted to this list in February 2006, but
> in summary, while there were a few minor issues that affected
> individual service providers, the root cause of each of those
> was that they were using old versions of the Athens agent and
> hadn't upgraded when we originally advised them to. This
> meant that those service providers were/are prefix-checking
> Athens users, rather than replacing this authorisation check
> with one that reads the Athens organisation ID.
I was aware that it was something to do with service providers (and old
versions of the Athens agent) depending on the username-prefix (like
mine of "LSE12345678") to identify a user's home organisation. This
information is not, of course, necessarily contained in the usernames
that would be rendered by an AthensDA-enabled institution. Presumably,
Eduserv has either now persuaded all service providers to upgrade, or
has somehow 'fixed' this in the code of the AthensDA software. Can a
similar fix not be made to the Gateway software?
I'm afraid that I still don't have enough spare time to exhaustively
check the archives of this and other lists, in case there's an existing
answer. I have also not sought out the precise wording of the
specification via which JISC funded Eduserv to develop and operate the
Shibboleth-to-Athens Gateway, but I'm assuming that it's intention was
to make *all* Athens-protected resources accessible to all users at
institutions that decide to join the UK Federation as identity-providers
earlier, rather than later, and to cease creating Athens usernames for
their users.
Please could you confirm what action Eduserv is taking to ensure that
the remaining Athens-protected resources work via the Gateway, and the
likely timetable for this to be achieved?
John
Unless otherwise agreed expressly in writing by a senior manager of
Eduserv, this communication is to be treated as confidential and the
information in it may not be used or disclosed except for the purpose
for which it has been sent.
If you have reason to believe that you are not the intended recipient
of this communication, please contact the sender immediately.
No employee or agent is authorised to enter into any binding agreement
or contract on behalf of Eduserv or Eduserv Technologies Ltd., unless
that agreement is subsequently confirmed by the conclusion of a written
contract or the issue of a purchase order.
Eduserv (Limited by Guarantee) – company number 3763109 - and
Eduserv Technologies Ltd – company number – 4256630 - are both
companies incorporated in England and Wales and have their registered
offices at Queen Anne House, 11 Charlotte Street, Bath, BA1 2NE.
|