My institution is in the process of moving from Athens to Shibboleth. Shibboleth is up and running and most students and about half the staff are already using it. All is (or appears to be) working well.
However for certain users our Library have apparently made use of Athens permission sets to restrict access to a specific subset of resources. These users are of the 'miscellaneous additional people' category who we all have within our organisations. While the main issue here is one of identity management (which is being addressed) there is a Shibboleth/Federation issue as well.
This issue is best described as follows
Having used suitable identity management processes to identify a class of user, the licenses for our various e-resources, vary as to whether that class is entitled to access the resource or not (or so I am told).
Athens permission sets deal with this issue (or so I am told).
From a Shibboleth point of view my understanding is that access of this type should be controlled by setting mutually agreed values of eduPersonEntitlement and that the SP should then restrict access based on existence or otherwise of that attribute-value pair.
However the SPs concerned appear not to use eduPersonEntitlement as, from their point of view, 'all' members are entitled to access. The problem is that 'all' is defined differently between SP licenses.
It appears rather difficult within Shibboleth to either set eduPersonScopedAffilation differently on a per SP basis or to control the release policy to not release it on a per SP basis for specific groups of users. It also appears not to scale to large numbers of SPs as every change requires editing shibboleth config files (with attendant testing requirements/ risks of error etc.
With one exception the resource providers involved are members of UKAMF and I would assume are used by several other institutions as well. However I have never seen any comments about other sites having this problem.
Therefore my questions are
1. Do you have differentiated access to SPs for certain classes of user?
2. If not, how does this tie in with license conditions for each resource?
3. If you do, how have you implemented this in Shibboleth?
Thanks
Jonathan
--
----------------------------------------------------------------------
Jonathan Haynes
Senior Network Consultant
IT Department, Tel: Bedford (01234) 754205
Bld 63, Bedford (01234) 750111 Extn 4205
Cranfield University Fax: Bedford (01234) 751814
Wharley End,
Cranfield, e-mail: [log in to unmask]
Beds, MK43 0AL.
|