JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH Archives

JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH  July 2008

JISC-SHIBBOLETH July 2008

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: [Fwd: Re: Going Beyond Staff and Student]

From:

Ian Young <[log in to unmask]>

Reply-To:

Discussion list for Shibboleth developments <[log in to unmask]>

Date:

Tue, 1 Jul 2008 15:38:23 +0100

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (142 lines)

Nicole Harris wrote:

> There are some really interesting questions here, and issues that 
> librarians have been tackling with for sometime...I think the
> federated approach has just shined a brighter light on some of the
> problems that institutions have with meeting some faintly ridiculous
> clauses that publishers insist on.

Absolutely agreed.

> To look at some of the questions brought up here, I think an
> institution has to have a very clear definition of what it means by a
> student.  If the students from other organisations are physically
> registered in the institutional directory for the period of the
> course in question, my opinion would be that they are a full student
> of the institution for the period of that course - with all that this
> entails.    You might not want to make them a member of the
> organisation though.

Agreed that *each institution* has to have a clear definition of what 
*it* means by a student, or a member.  I'd go so far as to say that it 
would be pretty nice if that definition was available to relying parties.

I don't think, though, that this automatically leads to any rational 
expectation that this per-institution definition might be exactly the 
same as anyone else's.  Similar, certainly in broad terms, but never 
identical.

I think we can all accept that the definitions in both eduPerson and
in the UK federation's Technical Recommendations for Participants for
the various affiliation values are not completely precise.  I have a 
couple of possibly contentious things to say about this:

1. this is not accidental

2. we should not try and "fix" this either by

    2a. tightening up the definitions (very much), or

    2b. inventing more values (at all)

To put it another way, it's my personal view that the vagueness of the
affiliation definitions is a *feature*.  Because it's essentially
impossible to come up with a precise definition of, say, "student", 
which will meet with agreement from all parties (UK federation 
membership: 438 and climbing), that's not the intention.  Instead, the 
defined affiliation values are vague so that if both parties are 
prepared to acknowledge that there is slop in the definitions, it's 
actually possible to come to an agreement where none would otherwise exist.

If you want an analogy, colours are good: if you can only talk about 
"blue" and "green" (or any other finite vocabulary) then sometimes the 
greeny-blues and bluey-greens will be hard to distinguish.  But when it 
comes down to it, show someone "blue" and they'll likely be happy to 
call it "blue" too.

This requires the relying party either to review and accept the 
particular institutional definition of the affiliation values (where 
available) or preferably to compromise by saying: actually, we accept 
that your good faith definition of "student" is likely to be close 
enough to what we had in mind that we won't argue about the edge cases.

Relying parties who are unwilling to compromise in this way (who, in 
other words, want to impose a particular precise definition of "student" 
or "staff" on identity providers) are therefore not going to be happy 
with the vague definitions.

* I don't think they will be much happier with tighter definitions, 
unless they happen to match what they first thought of,

* I don't think adding new values helps at all, unless you're prepared 
to add an awful lot of new values, essentially one per service provider.

I thought Ross Hayworth's example was an excellent one:

> we have a licence with a major service provider that would allow
> access to staff who are "retired, with proof of 60 years in age or
> over"

I don't think any of us would be likely to feel that it would be useful 
to either make that part of the definition of "staff", or to add that as 
an affiliation value.

Nicole again:

>   The other way of distinguishing them might be
> to make use of the flexibility of the scope - so to have
> [log in to unmask] for the specific course that teaches
> external students.  Of course, if the Service Provider wants to
> distinguish between different groups of users they have to be willing
> to accept and reject different scopes and not just accept them all as
> often happens!

This idea has come up a number of times as a possible solution for 
various flavours of this problem.  I'm not particularly keen on it 
myself, partly because our original idea for more granular scopes was to 
represent relatively small numbers of static things (schools, 
departments) and partly because scopes need to be registered with the 
federation operator.

There's an eduCourse schema that might prove more promising in this 
area.  I don't know that anyone makes much use of it at present, though.

I think my own preference for dealing with service providers with 
specific requirements for which vague definitions are inappropriate is 
eduPersonEntitlement.  This implies that a service provider who feels 
that a vague definition of studentness isn't good enough for some reason 
would precisely define the semantics of their own value for 
eduPersonEntitlement.  They would then come to an agreement with each 
identity provider that they are requiring to implement that definition 
that each appropriate person would be given such an entitlement value on 
accessing that particular SP.  This is what is done for the restricted 
content in Film & Sound Online, for example.

ePE values don't have to populated into institutional attribute stores; 
they can be computed by the IdP in arbitrarily complicated ways (see 
Matt Dunkin's comments about "isnotrealstudent=true") but there is 
clearly still a burden here on the IdP.  I don't think that the 
technology is to blame for that; I think that's inherent in the idea 
that an individual service provider *requires* arbitrary access 
conditions to be met.  It's obviously better in the long term for people 
not to enter into contracts with (Nicole's term) faintly ridiculous clauses.

> i think that retired members of staff are perhaps a good case for
> making an argument for extending the values currently used, although
> I can see them being managed through the affiliate value.

Judging by the library-walk-in case, it would be very hard to get the 
authors of eduPerson to accept any more affiliation values.  I'm also 
very nervous about adding UK-specific values in opposition to that 
standard, which you may know is also enforced in the default 
configurations of every Shibboleth IdP and SP.  Obviously, we could all 
change those configurations, but sometimes pain is nature's way of 
telling you not to walk through the brambles.

It may be that we need some broad discussion about what kinds of thing 
we, as a community, think fall into each of these vague categories.  I 
don't think it's likely to be as helpful in resolving the underlying 
issue as people might expect, though.

	-- Ian

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

December 2019
November 2019
October 2019
September 2019
August 2019
June 2019
May 2019
March 2019
February 2019
January 2019
November 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
February 2017
January 2017
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
December 2015
November 2015
September 2015
August 2015
June 2015
April 2015
March 2015
February 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager