Apologies for apparent silence thus far and for possibly now lighting the blue touch paper.
A note of caution - MIMAS (& other SPs) would *love* to receive quality assured attributes for the users of our services from IdPs.
For example, it would save us from asking the user to try and provide us with correctly formed email addresses, which we have to try to deal with when they fail - wastes so much time and the user gets irritated when alerts haven't appeared.
However, the Federation's 'rules' covering the transmission of the attributes, where they (conceivably) constitute personal data would require us to have an agreement in place with each IdP to clarify who would be liable if the wrong data was associated with an individual. Their recommendation is effectively for no SP to hold personal data supplied other than by the user. Square one.
Yourdan said something along the lines of 'the most elegant of designs are often bastardised by real world contraints' and here's a case in point IMHO.
Ross
--------------------------------------------
Ross MacIntyre T: +44(0)161-275-7181
MIMAS Service Manager F: +44(0)161-275-6071
Manchester Computing M: +44(0)778-095-6424
The University of Manchester
Oxford Road
Manchester M13 9PL U.K.
Email: [log in to unmask]
Skype: ross.macintyre
--------------------------------------------
________________________________________
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Nicole Harris
Sent: 11 April 2007 10:40
To: [log in to unmask]
Subject: Re: Athens resouces on the UK federation
Yes!
There is a good example of MIMAS doing this here: http://www.mimas.ac.uk/shibboleth/dissemination/Educause2006MacIntyre.ppt.
________________________________________
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Alistair Young
Sent: 11 April 2007 10:34
To: [log in to unmask]
Subject: Re: Athens resouces on the UK federation
thanks Nicole. Yes, look forward to the day the resources can be access natively via shibboleth.
That brings me back to my original question, before I confused everyone and myself with gateways.
The resources that currently require personal information to be entered manually. Will they make use of attributes for this purpose when they become proper citizens of the federation?
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
On 11 Apr 2007, at 10:33, Nicole Harris wrote:
Hi Alistair
You are describing the Shibboleth - Athens Gateway, i.e. a Shibboleth Identity Provider accessing an Athens Resource (not the Athens - Shibboleth Gateway). The integration guide describing this is at: http://www.athensams.net/upload/athens/pdf/shib-athens-integration1.0.pdf. None of the Resource Providers will be aware of Shibboleth as they don't support Shib, they support Athens and JISC / Eduserv are providing the interoperability with the Federation.
Science Direct will shortly be available for direct Shibboleth - Shibboleth access (you won't need to use the gateways). For the other resources, I would suggest that you should report these errors to the Eduserv helpdesk: [log in to unmask]
The gateways only support limited attribute exchange so it will not be possible to pass all details via attributes whilst using this route so some data entry will be required. Direct access via the Federation will eventually take away this issue.
N.
________________________________________
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Alistair Young
Sent: 11 April 2007 10:13
To: [log in to unmask]
Subject: Re: Athens resouces on the UK federation
Hi Nicole,
We are having problems with the following resources. They are accessed via the Athens Shibboleth Gateway. i.e. Go to www.athens.ac.uk, choose My Athens, alternative login and authenticate at your IdP.
AFAIK the Athens Shibboleth Gateway only supports 2 attributes. eduPersonTargetedId and userRole. But the doc states 3 attributes that don't include userRole.
Are we talking about the same gateway?
ScienceDirect (displays login error page when connecting via the Athens Shibboleth Gateway, although you appear to logged in)
RefWorks (have replied saying they do not support Shibboleth, although they are listed in the resources when you access My Athens via the shibboleth gateway)
Biomedical Images (asks for personal information - no account linking between shibboleth and athens accounts). It's not a problem per se. Just that the users are asking why doesn't "know" about their "normal" athens account.
European Sources Online - (access denied when access through the athens shibboleth gateway)
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
On 11 Apr 2007, at 10:06, Nicole Harris wrote:
Hi Alistair
It would be helpful if you could highlight the specific service in question
as I am struggling to see where you are having a problem.
Many thanks
Nicole
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Alistair Young
Sent: 10 April 2007 20:28
To: [log in to unmask]
Subject: Re: Athens resouces on the UK federation
Thanks Nicole,
The Athens Shibboleth Gateway supports the userRole attribute. This
carries your Athens permission set.
So this isn't propagated to providers. Ok. It's a way to "group" resource
access links in My Athens.
I wasn't aware the resource providers were members of the federation.
AFAIK the gateway uses completely different metadata from the federation?
However, there's still no way to get seamless access to a resource using
attributes alone. You still have to provide personal information. So the
ARP makes no real sense. It doesn't state up front the information you
must release to an SP to get access. Once you get there, the SP asks for
more information, outwith anything that is defined in your ARP.
Users are finding this confusing. They have always accessed these
resources using their Athens username/password. Now they access the same
resource but using Shibboleth and they are treated as a new user by the
resource provider.
I can't see any way for providers to match up these two credentials to the
single account. So you end up re-creating all your alerts/settings that
you've set up with your normal athens account. You have to do it all again
if you come in via shibboleth.
So presumably your eduPersonTargetedId must be constant for that resource
or your back to square one. Gives food for thought on what information at
an IdP to use to create that attribute.
Alistair
--
mov eax,1
mov ebx,0
int 80h
Hi Alistair
A couple of points of clarification - the Athens to Shibboleth Gateway
only
connects Athens users to Shibbolised / Federated resources that are
members
of the UK Federation. For more information about resources available via
this route please see the Federation website: www.ukfederation.org.uk
<http://www.ukfederation.org.uk/> . This may be why Service Providers who
claim to support shibboleth are not compliant with the gateways. If there
is a problem with any of the live resources in the Federation, please
report
this to the UK Federation helpdesk: [log in to unmask]
To answer the rest of your question, the Athens to Shibboleth Gateway
supports three attributes: eduPersonScopedAffiliation and two version of
eduPersonTargetedID. At present, no other attributes are supported via
the
Athens to Shibboleth Gateway. For more information please see:
http://www.athensams.net/upload/athens/pdf/athens-shib-integration1.0.pdf.
*Please note this is not the case for the Shibboleth to Athens Gateway*.
Federated access through the UK Federation with no intermediary (gateways,
outsourced IdPs etc.) recommends that four attributes should be made
available to Service Providers but supports other attributes being passed
in
the metadata. This is described in section 7.4 of the technical
recommendations for participants.
I hope this helps
Nicole
_____
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Alistair Young
Sent: 10 April 2007 15:06
To: [log in to unmask]
Subject: Athens resouces on the UK federation
We're starting to see a lot of "issues" arise with resources behind the
Athens Shibboleth Gateway, such as resource providers who claim to support
Shibboleth but do not. Other resource providers who ask for personal
information once you've reached them via Shibboleth and others who just
don't know what's happening.
It seems the gateway carries out the Authn part while the Authz is left up
to the resource providers. However, they have no attributes on which to
base
authz so they ask for more information from the user. i.e. the user logs
in
to Athens via the gateway then fills in the blanks at the resource
provider.
Will this still be the case in the uk federation? Or will resource
providers
make more use of attributes to provide seamless access to their resources?
To be fair, resource providers have always asked for this extra
information
but as our users understand Shibboleth, that shouldn't have to happen any
more. Attributes are meant to be used to transport this information to the
resource provider.
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
----------------------------------------------------------------------
Anything in this message which does not clearly relate to the official
work of the sender's organisation shall be understood as neither given
nor endorsed by that organisation.
----------------------------------------------------------------------
----------------------------------------------------------------------
Anything in this message which does not clearly relate to the official
work of the sender's organisation shall be understood as neither given
nor endorsed by that organisation.
----------------------------------------------------------------------
----------------------------------------------------------------------
Anything in this message which does not clearly relate to the official
work of the sender's organisation shall be understood as neither given
nor endorsed by that organisation.
----------------------------------------------------------------------
----------------------------------------------------------------------
Anything in this message which does not clearly relate to the official
work of the sender's organisation shall be understood as neither given
nor endorsed by that organisation.
----------------------------------------------------------------------
|