Bonnie,
(Apologies for tardy response.)
I'm all in favour of your attempts to make this more user-friendly.
We've not made use of RequestMap (AFAIA)
You should use the scoped-affiliation and keep a list of the institutions who are subscribed. Yes/No should be evident from the presence/absence on this 'Authorised users' list. You can then route to registration info page.
As far as we're aware, it is not, in general, possible to get the institution's full name from the UK federation metadata. (Maybe this could be confirmed/enhanced by someone in UK federation?) Which means we have had to derive and store something locally.
Happy to take any further questions off list.
Cheers,
Ross
-------------------------------------------
Ross MacIntyre T: +44(0)161-275-7181
Mimas Service Manager F: +44(0)161-275-0637
1.53 Devonshire House M: +44(0)778-095-6424
The University of Manchester
Oxford Road
Manchester M13 9QH U.K.
Email: [log in to unmask]
Skype: ross.macintyre
-------------------------------------------
-------- Original Message --------
Subject:
RE: [Shib-Users] Any "best practices" around limiting the set of IdPs to which your SP/application provides service?
Date:
Wed, 23 Sep 2009 12:41:12 +0100
From:
B.Ferguson <[log in to unmask]>
Dear all
I have a related problem and wonder if you could help with the 'best practice' around this issue.
We are setting up a Shibboleth 2 SP for the British Cartoon Archive (www.cartoons.ac.uk) and we need to use Shibboleth authentication for high resolution images. We can only give access to 'signed up' users, which will be those from a subset IdPs registered with the UK Access Management Federation.
If a user authenticates with Shibboleth, but their institution has not yet signed up with the Cartoon archive, we would like to give them a page about how to get their institution to register. This will be different than the error message they get when they fail to authenticate.
We would like Shibboleth to give 2 things to the web application (Drupal):
1. A yes/no response of whether the user is from a signed up institution
2. The name of the institution, so we can present a friendly error message (e.g. "The University of Kent has not yet registered to use images..."
I was thinking of using a RequestMap (https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMap )to restrict by institution, but am not sure how to return either the yes/no or institutional name from there, so we might be taking the wrong approach to this.
Any advice on this matter would be greatly appreciated.
Many thanks,
Bonnie
[snip]
|