Many thanks Steve. It is indeed to do with our certificate update. My IT colleagues are in the process of getting things sorted.
Catrin
----------------------------------------------------------------------------------------------------------------
Catrin Williams
E-services Developer
Information Systems & Library Services
University of Westminster
Marylebone Library
35 Marylebone Road
London NW1 5LS
020 7911 5000 x2747
[log in to unmask]
This email and attachments, if any, are intended for the above named only and may be confidential. If they have come to you in error please take no action based on them; do not copy or show them to anyone. Please also reply and highlight this error. Thank you.
-----Original Message-----
From: Steve Glover [mailto:[log in to unmask]]
Sent: 30 January 2012 13:08
To: An informal open list set up by UKSG - Connecting the Information Community
Cc: Catrin Williams
Subject: Re: [lis-e-resources] JSTOR & Shibboleth problems?
Hi Catrin,
> Is anyone else having problems with Shibboleth access to JSTOR?
It's almost certain that your problem with JSTOR is to do with
Westminster's ongoing IdP certificate update.
Anyone else who's having issues with JSTOR at the moment, please can you
check that you are sending them the correct value of
eduPersonEntitlement as given here:
http://www.ukfederation.org.uk/content/Services/2008-08-19-jstor
If that's not it, and you're a UK federation member, please talk to your
IdP team and ask them to raise a call with us ([log in to unmask]).
Now to return to the Westminster issue....
The standard process for an IdP updating their trust fabric certificate
is that the IdP sends us a copy of the new certificate, which we add to
their metadata. We then allow the new metadata to circulate for a period
of time (usually about three days to a week) to ensure that as many
federation SPs as possible see the new certificate before it is
presented. Only then should the IdP be reconfigured to present the new
certificate, the IdP tested against our test SP, and if all is well, we
should be instructed to remove the old certificate.
This works fine as long as SPs refresh their copies of the federation
metadata reasonably frequently (we recommend at least once a day) and as
long as SP software follows our certificate-handling recommendations (in
particular, it should be able to handle the presence of more than one
key in IdP metadata).
Unfortunately the software used by JSTOR is not compliant with our
recommendations about certificate handling in that respect, and as far
as we are aware it fails to authenticate the IdP certificate if it
encounters more than one certificate in the IdP metadata. (the software
vendors have acknowledged the issue, but have not yet given us a
time-scale for a fix).
Westminster's access to JSTOR can be restored by updating the IdP config
to use the new certificate and asking us to remove the old one from the
metadata, access should be restored as soon as JSTOR refresh their
metadata: if access to any other SPs is lost then they probably still
have not refreshed their metadata (which in this particular case would
be somewhat disappointing considering the new certificate has been there
for three days - such SPs need to be reminded to update their metadata).
Summarising:
1) the software JSTOR use is non-compliant and will cause problems
during certificate roll-over.
2) The certificate roll-over period could be made much shorter if all
SPs updated their metadata 2-3 times daily: loss of access for any
longer period should be dealt with by dropping them an email and
suggesting they update their metadata.
Cheers
Steve
--
Steve Glover: SDSS, EDINA, Causewayside House, 160 Causewayside EH9 1PR
e:[log in to unmask] t:0131 650 2908 f:0131 650 3308 m:07961 446 902
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
--
The University of Westminster is a charity and a company limited by
guarantee. Registration number: 977818 England. Registered Office:
309 Regent Street, London W1B 2UW, UK.
lis-e-resources is a UKSG list - http://www.uksg.org/serials
UKSG groups also available on Facebook and LinkedIn
|