> > and a good reason for an institution to think long and hard
> > before deciding to use the Athens to Shibboleth gateway
>
> we don't. We use the Shibboleth to Athens gateway
Sorry, I misread that previously as Athens to Shibboleth.
Your case is even clearer unfortunately though.
> and we're trying to use the uk federation.
Directly from your Shibboleth IdP, yes?
> I thought the shibb to athens gateway was in the fed?
Unfortunately not. Eduserv collect their own metadata about IdPs that
sign up to use the Shibboleth to Athens gateway, which effectively
forms its own private Athens federation, distinct from the UK federation.
> The lockin is wrt the gateway.
Absolutely. From the perspective of (say) Digimap, when one of
your users logs in via the Shibboleth to Athens gateway, they are
logging in as an Athens user, using the Athens protocol stack,
just as if they were using a classic Athens account or AthensDA
(your Shibboleth IdP is acting here as an Athens local authentication
system, effectively an equivalent to the instiutional component of
AthensDA). No Shibboleth protocols are involved at the Athens DSP
(note, not Shibboleth SP) at all.
> We can't use the fed as all settings are tied to the gateway.
You can't use Athens and the federation indistinguishably, back and
forth, for personalised services.
> Accessing digimap via the federation has no real value over the gateway.
Both routes are available for the moment. It's up to you to decide
which option makes most sense for you.
> The users still use the same login creds but the gateway route
> has their settings.
That's right. So if you want to migrate users of personalised
applications from Athens to the federation, you will either need
to get the users to migrate their settings or persuade every one
of those service providers to implement account linking in their
applications (and then train the users to link the old and new
accounts).
> The fed route is empty and they have to start again and Edina are
> quite happy for them to start again but they're not.
"Happy" is perhaps too strong.
> I'm just frustrated by what seems like a lack of user support.
That's what I'm trying to do just now.
> The fed is being promoted as best practice for federated access
> management but those of us who took up the offer of the halfway
> house of the shibb to athens gateway are now in a bad place.
The Shibboleth to Athens gateway was usually presented only as a
transitional crutch to enable sites moving to federated access
to continue temporarily to access not-yet-Shibbolized Athens resources.
In any case it is not really a halfway house: a user of the Shibboleth
to Athens gateway is as much a 100% Athens user as someone with a
classic Athens account or AthensDA.
> As far as users are concerned, all that's changed is a URL.
Unfortunately you are in a position where you need to look at this
from an implementation perspective as well as the user perspective.
> IMHO middleware should never bleed this far into user land.
That is certainly an admirable goal.
Fiona.
|