> Ovid asked us to specify "The Authentication attributes that you
will use" and "The Value for the attribute"
that's interesting. We only release eduPersonScopedAffiliation to Ovid
with a value of "member".
We have much finer grained access requirements, which we're exploring
with InfoTrac, who seem to know what they're doing wrt to attribute
based access. In the past, we could granularise resources using Athens
permission sets, populated via attributes from the IdP but now we have
to negotiate with suppliers for the same functionality. We also need
to assert using multiple scopes. It'll be interesting.
On the whole, at the moment, it seems that "have ePTID and ePSA, will
travel".
Alistair
On 7 May 2008, at 11:20, Jon Warbrick wrote:
> Could anyone making significant use of direct Shib access to library-
> style electronic resources (i.e. not via the Shib->Athens gateway)
> provide some feedback about what authorisation arrangements the
> various providers are requiring or assuming in practise?
>
> Looking at the few such resources that are currently being used from
> Cambridge I think I see the following (though this is partly
> guesswork):
>
> Science Direct:
> access granted based on the entityID of our IdP and so
> to anyone our IdP will authenticate (see [1], note 6 -
> still current?)
>
> Digimap & Film and Sound Online:
> access granted to anyone with an ePSA value of
> [log in to unmask] Film & Sound grants additional access to
> people with a particular ePE value.
>
> ProQuest:
> access apparently being granted - no idea on what basis.
>
> In addition, Ovid asked us to specify "The Authentication attributes
> that you will use" and "The Value for the attribute". This suggests
> that they at least expect us to release a custom attribute, perhaps
> a ePE, asserting entitlement to at least their resources.
>
> I ask because I'm trying to anticipate what we will need for more
> widespread Shib deployment and it would help to know what suppliers
> are currently expecting. Are they explicitly saying that they are
> happy with an ePSA of [log in to unmask] (despite the woolliness of
> its definition)?. Are they tacitly accepting an ePSA of [log in to unmask]
> ' despite it not matching their licences? Do any expect custom
> ePE's? Do many follow the Ovid route and expect us to nominate an
> attribute name and corresponding value?
>
> Cambridge being Cambridge, neither the set of people who our IdP
> will authenticate nor the set of people who get [log in to unmask]
> are very good match for the set of people who are granted 'off
> campus' access by our various electronic resource licences,
> especially at the edges. I'm worried that 'bending' either to more
> closely match the library use case will eventually become a problem
> when/if Shib gets deployed for other purposes.
>
> For our use of the Shib->Athens gateway we already have a set of
> rules, involving centrally provided MIS data and manual overrides
> administered by our library, that decide who gets the attributes
> needed to grant them access to our various Athens permission sets.
> I'm considering creating an general-purpose ePE value (and common-
> lib-terms [2] seems like a good candidate) based on these rules that
> could then be released to Ovid-style providers and which would cover
> entitlement to the majority of our resources. Anyone else doing that?
>
> Jon.
>
> [1] http://www.ukfederation.org.uk/content/Documents/AttributeUsage
> [2] http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html
>
> --
> Jon Warbrick
> Web/News Development, Computing Service, University of Cambridge
--------------
mov eax,1
mov ebx,0
int 80h
|