SlideShare a Scribd company logo

Dr. Shibblove, or How I learned to Stop Worrying and Implement Single Sign-On

Download as PPTX, PDF
Athena Hoeppner
Athena Hoeppner

Many librarians are struggling to understand role of Shibboleth for library access and personalization of services. Shibboleth comes with a slew of jargon, a steep learning curve, administrative and organizational collaboration challenges. Implemented well, Shibboleth creates seamless, personalized access to the library and other campus services. The presenter’s overview how Shibboleth works, related standards and terminology, practical steps for libraries implementing Shibboleth, and tips for leveraging Shibboleth to improve UX. Slides use animations. Download for best view.

Technology
1 of 50
How I Learned to Stop Worrying and Implement Single-Sign On Dr. Shibblelove or LITA Forum | Minneapolis, MN | 12-15 November 2015 Athena Hoeppner Adam Traub University of Central Florida University of Rochester
CanvasCredentials Access Researcher Login: A User’s Perspective Shibboleth
Authentication Part I Service Provider Canvas HEY UCF SHIBBOLETH, CHECK THIS GUY FOR ME. HI CANVAS. I’LL CHECK HIS CREDENTIALS. ANSWER THIS OR YOU SHALL NOT PASS!
Authentication Part II HI UCF IDENTITY PROVIDER DO YOU KNOW A GUY WITH THESE CREDENTIALS I KNOW EVERYTHING ABOUT HIM… WELL, NOT AS MUCH AS GOOGLE. BUT I’LL ONLY TELL YOU WHAT YOU ARE ALLOWED TO KNOW. LDAP Identity Provider SAML Security Assertion Markup Language https://www.samltool.com/generic_sso_res.php I CAN AUTHENTICATE HIM. HERE IS HIS NAMEID AND SOME ASSERTIONS.
Authorization THESE ASSERTIONS TELL YOU SOME OF HIS ATTRIBUTES AND FACULTY GET EXTRA PERMISSIONS. ABOUT THAT GUY.. HIS NAMEID IS JOHND, AN AUTHENTICATED UCF EDUPERSON WITH PRIMARYAFFILIATION FACULTY OK. USERS WITH THOSE ATTRIBUTES ARE AUTHORIZED ACCESS FOR
Login: A User’s Perspective HERE’S YOUR PAGE. …AND HAVE A COOKIE HE GETS AN IDP COOKIE, TOO.
"Saml2-browser-sso-redirect-post". Licensed #/media/File:Saml2-browser-sso-redirect-post.pngunder CC BY-SA 3.0 via Wikipedia - https://en.wikipedia.org/wiki/File:Saml2-browser-sso-redirect-post.png
UCF One Login; Many Services
UCF UR ProQuest EBSCO
Entity and Service Examples ID Providers (IdPs) EntityIDs: Unique Identifiers UCF LDAP https://auth.yale.edu/idp/shibb Service Providers (SPs) http://qapub1.imodules.com/sp UCF ACTIVE DIRECTORY UCF CANVAS UCF HR SUBSCRIPTION DATABASE
Tales of Three Shibboleth Service Providers
Lynda’s Tale • Previously logged in via IP • Couldn’t tell who was using it • Shibboleth already used for other campus services • Shibb login allows users to track progress
HathiTrust’s Tale • Membership requirements: • Academic and research Institution • Paid fee • Shibboleth for authentication • Benefits: • Complete PDF download • Access to in-copyright material if owned by university
Ezproxy’s Prologue • IP authentication widely used by vendors • Existed separately from campus federated ID and single sign on • Familiar to users • Extend campus single sign-on experience for database and journal access
Relationship Building Data! Access! Identity Management
Functional Anecdote E-Res Librarian Role: Cheerleader; Project Manager; Requirements Co-Creator Library IT Role: Facilitator; Co-Creator; Internal Advisor Central IT Role: Shibboleth Admin; Attribute Mapper Vendor IT Role: Service Provider; External Advisor
Key Attributes An attribute is simply a name-value pair providing single piece of information. Some subset of all attributes defines a unique individual.
Shibboleth and EduPerson EduPerson Schema • Supports LDAP Environments • Familiar Attributes CommonName Surname/Family Name Email UserID “Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries.” I have one of each of those attributes!
EduPerson Schema - Affiliations eduPersonAffiliation “broad category affiliations” Examples:  Faculty Staff Student  Alum  Employee Member Affiliate Library-Walk-in I graduated from this place AND I work here as Faculty!
EduPerson Schema - Affiliations eduPersonPrimaryAffiliation “Think of this as the affiliation one might put on the name tag if this person were to attend a general institutional social gathering.” • Must also appear in eduPersonAffiliation  Faculty (mostly)
EduPerson Schema - Affiliations eduPersonScopedAffiliation “Specifies the person's affiliation within a particular security domain in broad categories.” HathiTrust requires Scoped Affiliation Example: What is Athena’s affiliation to UCF, as translated by HathiTrust? faculty@ucf.edu
Gollum the Freshman LDAP Precious wants your database. Do you know this person? 2 I need you to login. 3 1 That’s Gollum; he’s a student. 5 Ugh. Here you go, Gollum. 6UN Precious; PW: Precious 4
Frodo the Alumnus LDAP I’d like to use your database. Do you know this person? 2 I need you to login. 3 1 4 That’s Frodo; he’s an alum. 5 Your license doesn’t allow alum access. 6 UN Fbaggins; PW: i<3Sam
Saurman the Forgetful (or Malicious) LDAP I’d like to use your database. Do you know this person? 2 I need you to login. 3 1 I have no idea who this is 5 Not with that attitude (or login) you won’t. 6 UN: SauronRules; PW: friend? 4
WAYFless URL Authentication LDAP
Wraithless URLs
Chocolate and red wine–A comparison between flavonoids content FA Pimentel, JA Nitzke, CB Klipel, EV de Jong - Food chemistry, 2010 - Elsevier ... Cocoa has also been described as being a good source of flavonoids, such as catechins. ... Based on this, the present study was carried out to compare flavonoids content of different types of red wine and chocolate and to suggest a daily chocolate ingestion dose that could ... WHOA!! THIS ARTICLE IS PERFECT!
You are a Guest. Sign In Chocolate and red wine–A comparison between flavonoids content FA Pimentel, JA Nitzke, CB Klipel, EV de Jong - Food chemistry, 2010 - ElsevierOH NO… I DON’T HAVE AN ELSEVIER LOGIN! BUT THE MORDOR UNIVERSITY LIBRARY SHOULD HAVE THIS…
Where Are You From? I don’t even know where to begin checking his credentials. Better make small talk… So… where are you from?
Where Are You From Region or Federation: Institution: Nazgul Group Mordor Choose your region or group and institution below to login. THIS SHOULD GET ME ACCESS.
WAYF Authentication SAURAN LDAP Do you know this person? 4 LOGIN. 5 THAT’S NAZGULKING; HE’S SAURAN’S LIUTENANT. 7 OK. Read up! Where Are You From? I’m with the Nazgul! 2 3 8 I DEMAND THE ARTICLE ON CHOCOLATE AND WINE! UN: NAZGULKING; PW: IMMORT@L 6 1
Access to Everything Else…
Ezproxy as a Shibboleth Service Provider
Library Vendors in InCommon Federation: • Hathi Trust • EBSCOhost • ProQuest • EBL • Elsevier • JSTOR • …and many more https://spaces.internet2.edu/display/incli brary/targetresources https://spaces.internet2.edu/display/inclibr ary/registryofresources Enable Please!! They get our ENTITYid, and the eduPERSON assertation. OK
InCommon Best Practices for Libraries Implement authorization via eduPerson attributes Shibboleth enable EZproxy Implement WAYFless URLs Implement authenticated direct links to resources. • Use Shibboleth-Ready Ezproxy Starting point URLs https://spaces.internet2.edu/display/inclibrary/Best+Practices
EZproxy config.txt #### Shibboleth Stuff ShibbolethDisable 1.3 ShibbolethMetadata -EntityID=LibraryEZProxy -File=ucf-prod-metadata.xml -Cert=4 C -URL=https://idp-prod.cc.ucf.edu/idp/shibboleth
Shibuser.txt EZproxy Admins if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq "LibITGuy@ucf.edu"; Admin Deny Access to Problem Users if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq “BadUser@ucf.edu"; Deny Set EZproxy username to UCF ID set login:loguser = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
Attribute Summary Table Friendly Name Formal Names eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7 eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 sn urn:oid:2.5.4.4 givenName urn:oid:2.5.4.42 displayName urn:oid:2.16.840.1.113730.3.1.241 mail urn:oid:0.9.2342.19200300.100.1.3 InCommon Federation Attribute Summary https://www.incommon.org/federation/attributesummary.html
Shibuser.txt Revisited if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq "LibITGuy@ucf.edu"; Admin if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq “BadUser@ucf.edu"; Deny set login:loguser = urn:oid:1.3.6.1.4.1.5923.1.1.1.6 if eduPersonPrincipalName equals thisperson then give them admin rights if eduPersonPrincipalName equals thisperson then deny them access Set login to user’s eduPersonPrincipalName
EZproxy Shibb URLs • EZproxy Starting Point URLs https://login.ezproxy.net.ucf.edu/login&url= • Shibbolized https://login.ezproxy.net.ucf.edu/login?auth=shibb &url= • UCF Deployed in: • SFX • EBSCOhost Discovery • LibGuides and Database list
Too Permissive! Current students Faculty Employees Alumni Previous students Department network accounts… YIKES!!! LDAP Everyone I know is an EduPerson! That’s good enough for me. EZproxy
Common Library Entitlements Based on this doc, Implementing the Shibboleth - EZproxy Hybrid - InCommon, I think we need to add this to our shibuser.txt: If !(auth:urn:mace:dir:attribute- def:eduPersonEntitlement eq "urn:mace:dir:entitlement:comm on-lib-terms"); Deny I assume that our IdP is set up with the standard common-lib-terms entitlements. If not, then we should ask Matt and his crew to add it.
common-lib-terms The common-lib-terms entitlement value represents the members of an institution that are included in the terms of typical library contract with a library resource provider. Nope
Getting EZProxy Out of the Way • Challenges • Out-dated EZProxy links • Leverage service provider Shibb support • SPUEdit • “Rarely used directive” • Best Practice HERE…LET ME FIX THAT FOR YOU… https://www.incommon.org/library/docs/Best_Practices.pdf
Summary • Shibboleth enables • Single sign on across institution and federation services • Seamless user experience • Customized services based on attributes, • Personalized services for individuals, • Anonymity • Requires collaboration: • Campus IT • Library IT • eResources Librarians • Works with and expands on Ezproxy, IP-based, authentication Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb!
Additional Resources Implementation Info • InCommon Library Collaboration • Registry of Resources • Shibb Training • Shibb – EzProxy Hybrid Vendor Specific Info • EZProxy • EBSCO • ProQuest • JSTOR • ACM • Elsevier • Ovid • Project Muse • Thomson
Glossary • Assertion - The identity information provided by an Identity Provider to a Service Provider. • Attribute - A single piece of information. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name and enrollment. • Attribute statement: asserts that a subject is associated with certain attributes. An attribute is simply a name- value pair. Relying parties use attributes to make access-control decisions. • Authentication statements: statement that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. • Authorization decision statement: asserts that a subject is permitted to perform action A on resource R given evidence E. • eduPerson - An LDAP object class to facilitate inter-institutional applications • Provider url, and the network administrator. • EntityID - ID that identifies an enterprise in a federation. Usually a URL that points to an XML file of info about the entity, such as the ID • Federated identity - management of identity information between members of a federation. • Identity Provider (IDp) - The system that authenticates an entity • Security Assertion Markup Language (SAML, pronounced sam-el) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. (Wikipedia) • Service Provider (Sp) - makes online resources available to users based in part on information about them that it receives from other InCommon participants. • Where Are You From (WAYF) - A server used by the Shibboleth software to determine what a user's home organization is. • http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#SAML_Assertions
Questions?
Thank you! Athena Hoeppner, UCF Adam Traub, UR

Recommended

Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better AccessShibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
Athena Hoeppner
 
Paediatrics brochure 2010
Paediatrics brochure 2010Paediatrics brochure 2010
Paediatrics brochure 2010
Robin Featherstone
 
Becoming a network learner - Tlt '10
Becoming a network learner - Tlt '10Becoming a network learner - Tlt '10
Becoming a network learner - Tlt '10
Scott Leslie
 
COSC 111 Research Fall 2012
COSC 111 Research Fall 2012COSC 111 Research Fall 2012
COSC 111 Research Fall 2012
Laksamee Putnam
 
CoSMiC_scholars
CoSMiC_scholarsCoSMiC_scholars
CoSMiC_scholars
Laksamee Putnam
 
Psych 440 Information Literacy Class
Psych 440 Information Literacy ClassPsych 440 Information Literacy Class
Psych 440 Information Literacy Class
Jonathan Underwood
 
Life-span development is an important topic in psychology that h
Life-span development is an important topic in psychology that hLife-span development is an important topic in psychology that h
Life-span development is an important topic in psychology that h
karenahmanny4c
 
IDHP Fall 2012 - Libao Session 1
IDHP Fall 2012 - Libao Session 1IDHP Fall 2012 - Libao Session 1
IDHP Fall 2012 - Libao Session 1
Laksamee Putnam
 

Recommended

Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better AccessShibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
Athena Hoeppner
 
Paediatrics brochure 2010
Paediatrics brochure 2010Paediatrics brochure 2010
Paediatrics brochure 2010
Robin Featherstone
 
Becoming a network learner - Tlt '10
Becoming a network learner - Tlt '10Becoming a network learner - Tlt '10
Becoming a network learner - Tlt '10
Scott Leslie
 
COSC 111 Research Fall 2012
COSC 111 Research Fall 2012COSC 111 Research Fall 2012
COSC 111 Research Fall 2012
Laksamee Putnam
 
CoSMiC_scholars
CoSMiC_scholarsCoSMiC_scholars
CoSMiC_scholars
Laksamee Putnam
 
Psych 440 Information Literacy Class
Psych 440 Information Literacy ClassPsych 440 Information Literacy Class
Psych 440 Information Literacy Class
Jonathan Underwood
 
Life-span development is an important topic in psychology that h
Life-span development is an important topic in psychology that hLife-span development is an important topic in psychology that h
Life-span development is an important topic in psychology that h
karenahmanny4c
 
IDHP Fall 2012 - Libao Session 1
IDHP Fall 2012 - Libao Session 1IDHP Fall 2012 - Libao Session 1
IDHP Fall 2012 - Libao Session 1
Laksamee Putnam
 
Modeling and Representing Trust Relations in Semantic Web-Driven Social Networks
Modeling and Representing Trust Relations in Semantic Web-Driven Social NetworksModeling and Representing Trust Relations in Semantic Web-Driven Social Networks
Modeling and Representing Trust Relations in Semantic Web-Driven Social Networks
Nima Dokoohaki
 
Analogy Essay Examples
Analogy Essay ExamplesAnalogy Essay Examples
Analogy Essay Examples
Jessica Spyrakis
 
Rp week 7 presentation compressed
Rp week 7 presentation compressedRp week 7 presentation compressed
Rp week 7 presentation compressed
dazza50
 
How SADI & SHARE help restore the Scientific Method to in silico science
How SADI & SHARE help restore the Scientific Method to in silico scienceHow SADI & SHARE help restore the Scientific Method to in silico science
How SADI & SHARE help restore the Scientific Method to in silico science
Mark Wilkinson
 
S wi t-ciscotp 3mar15 eleelav-communicating to inspire confidence
S wi t-ciscotp 3mar15 eleelav-communicating to inspire confidenceS wi t-ciscotp 3mar15 eleelav-communicating to inspire confidence
S wi t-ciscotp 3mar15 eleelav-communicating to inspire confidence
Eileen Lee Lavergne
 
What can we learn from campus leaders, quickly?
What can we learn from campus leaders, quickly?What can we learn from campus leaders, quickly?
What can we learn from campus leaders, quickly?
Western New York/Ontario Chapter Association of College and Research Libraries
 
Libguide powerpoint
Libguide powerpointLibguide powerpoint
Libguide powerpoint
Zachary Walton
 
Information literacy
Information literacyInformation literacy
Information literacy
ebphillips
 
Introduction To Mysql
Introduction To MysqlIntroduction To Mysql
Introduction To Mysql
Best Online Paper Writing Service Keck Graduate Institute
 
Controlled Vocabullary.pptx
Controlled Vocabullary.pptxControlled Vocabullary.pptx
Controlled Vocabullary.pptx
DrIrfanulHaqAkhoon
 
College comp
College compCollege comp
College comp
maldonadoj
 
Evaluation Websites
Evaluation WebsitesEvaluation Websites
Evaluation Websites
Lahore American School
 
Evaluation Websites
Evaluation WebsitesEvaluation Websites
Evaluation Websites
Lahore American School
 
Evaluation Websites
Evaluation WebsitesEvaluation Websites
Evaluation Websites
Lahore American School
 
Sources or answer
Sources or answerSources or answer
Sources or answer
ipl2: Information You Can Trust
 
Wpps 2013 email
Wpps 2013 emailWpps 2013 email
Wpps 2013 email
Clara Song
 
Criteria Ratings PointsContentTypes ofReliability&
Criteria Ratings PointsContentTypes ofReliability&Criteria Ratings PointsContentTypes ofReliability&
Criteria Ratings PointsContentTypes ofReliability&
CruzIbarra161
 
TSEM Fa 2012 Class1b McArthur
TSEM Fa 2012 Class1b McArthurTSEM Fa 2012 Class1b McArthur
TSEM Fa 2012 Class1b McArthur
Laksamee Putnam
 
TSEM Fa 2012 Class1a McArthur
TSEM Fa 2012 Class1a McArthurTSEM Fa 2012 Class1a McArthur
TSEM Fa 2012 Class1a McArthur
Laksamee Putnam
 
AE 101 Spring 2018
AE 101 Spring 2018AE 101 Spring 2018
AE 101 Spring 2018
Valeria Skarbek
 
Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Hacking the Faculty: Bringing Content Discovery Into Online Course Development Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Athena Hoeppner
 
Open Access Tools
Open Access ToolsOpen Access Tools
Open Access Tools
Athena Hoeppner
 

More Related Content

Similar to Dr. Shibblove, or How I learned to Stop Worrying and Implement Single Sign-On

Rp week 7 presentation compressed
Rp week 7 presentation compressedRp week 7 presentation compressed
Rp week 7 presentation compressed
dazza50
 
What can we learn from campus leaders, quickly?
What can we learn from campus leaders, quickly?What can we learn from campus leaders, quickly?
What can we learn from campus leaders, quickly?
Western New York/Ontario Chapter Association of College and Research Libraries
 
Information literacy
Information literacyInformation literacy
Information literacy
ebphillips
 
Wpps 2013 email
Wpps 2013 emailWpps 2013 email
Wpps 2013 email
Clara Song
 
Criteria Ratings PointsContentTypes ofReliability&
Criteria Ratings PointsContentTypes ofReliability&Criteria Ratings PointsContentTypes ofReliability&
Criteria Ratings PointsContentTypes ofReliability&
CruzIbarra161
 
TSEM Fa 2012 Class1b McArthur
TSEM Fa 2012 Class1b McArthurTSEM Fa 2012 Class1b McArthur
TSEM Fa 2012 Class1b McArthur
Laksamee Putnam
 
TSEM Fa 2012 Class1a McArthur
TSEM Fa 2012 Class1a McArthurTSEM Fa 2012 Class1a McArthur
TSEM Fa 2012 Class1a McArthur
Laksamee Putnam
 

Similar to Dr. Shibblove, or How I learned to Stop Worrying and Implement Single Sign-On (20)

Modeling and Representing Trust Relations in Semantic Web-Driven Social Networks
Modeling and Representing Trust Relations in Semantic Web-Driven Social NetworksModeling and Representing Trust Relations in Semantic Web-Driven Social Networks
Modeling and Representing Trust Relations in Semantic Web-Driven Social Networks
 
Analogy Essay Examples
Analogy Essay ExamplesAnalogy Essay Examples
Analogy Essay Examples
 
Rp week 7 presentation compressed
Rp week 7 presentation compressedRp week 7 presentation compressed
Rp week 7 presentation compressed
 
How SADI & SHARE help restore the Scientific Method to in silico science
How SADI & SHARE help restore the Scientific Method to in silico scienceHow SADI & SHARE help restore the Scientific Method to in silico science
How SADI & SHARE help restore the Scientific Method to in silico science
 
S wi t-ciscotp 3mar15 eleelav-communicating to inspire confidence
S wi t-ciscotp 3mar15 eleelav-communicating to inspire confidenceS wi t-ciscotp 3mar15 eleelav-communicating to inspire confidence
S wi t-ciscotp 3mar15 eleelav-communicating to inspire confidence
 
What can we learn from campus leaders, quickly?
What can we learn from campus leaders, quickly?What can we learn from campus leaders, quickly?
What can we learn from campus leaders, quickly?
 
Libguide powerpoint
Libguide powerpointLibguide powerpoint
Libguide powerpoint
 
Information literacy
Information literacyInformation literacy
Information literacy
 
Introduction To Mysql
Introduction To MysqlIntroduction To Mysql
Introduction To Mysql
 
Controlled Vocabullary.pptx
Controlled Vocabullary.pptxControlled Vocabullary.pptx
Controlled Vocabullary.pptx
 
College comp
College compCollege comp
College comp
 
Evaluation Websites
Evaluation WebsitesEvaluation Websites
Evaluation Websites
 
Evaluation Websites
Evaluation WebsitesEvaluation Websites
Evaluation Websites
 
Evaluation Websites
Evaluation WebsitesEvaluation Websites
Evaluation Websites
 
Sources or answer
Sources or answerSources or answer
Sources or answer
 
Wpps 2013 email
Wpps 2013 emailWpps 2013 email
Wpps 2013 email
 
Criteria Ratings PointsContentTypes ofReliability&
Criteria Ratings PointsContentTypes ofReliability&Criteria Ratings PointsContentTypes ofReliability&
Criteria Ratings PointsContentTypes ofReliability&
 
TSEM Fa 2012 Class1b McArthur
TSEM Fa 2012 Class1b McArthurTSEM Fa 2012 Class1b McArthur
TSEM Fa 2012 Class1b McArthur
 
TSEM Fa 2012 Class1a McArthur
TSEM Fa 2012 Class1a McArthurTSEM Fa 2012 Class1a McArthur
TSEM Fa 2012 Class1a McArthur
 
AE 101 Spring 2018
AE 101 Spring 2018AE 101 Spring 2018
AE 101 Spring 2018
 

More from Athena Hoeppner

Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Hacking the Faculty: Bringing Content Discovery Into Online Course Development Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Athena Hoeppner
 

More from Athena Hoeppner (7)

Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Hacking the Faculty: Bringing Content Discovery Into Online Course Development Hacking the Faculty: Bringing Content Discovery Into Online Course Development
Hacking the Faculty: Bringing Content Discovery Into Online Course Development
 
Open Access Tools
Open Access ToolsOpen Access Tools
Open Access Tools
 
Optimizing eResources Pain Management
Optimizing eResources Pain ManagementOptimizing eResources Pain Management
Optimizing eResources Pain Management
 
Discovery Systems: Connecting the 21st Century Academic User to Content
Discovery Systems: Connecting the 21st Century Academic User to ContentDiscovery Systems: Connecting the 21st Century Academic User to Content
Discovery Systems: Connecting the 21st Century Academic User to Content
 
Out in the Open: Better Exposure for Open Access Content
Out in the Open: Better Exposure for Open Access ContentOut in the Open: Better Exposure for Open Access Content
Out in the Open: Better Exposure for Open Access Content
 
Zen and the Art of WSD Maintenance
Zen and the Art of WSD MaintenanceZen and the Art of WSD Maintenance
Zen and the Art of WSD Maintenance
 
Resource DISCOvery Services: Beyond the Blurb. Opening Keynote by Athena Hoep...
Resource DISCOvery Services: Beyond the Blurb. Opening Keynote by Athena Hoep...Resource DISCOvery Services: Beyond the Blurb. Opening Keynote by Athena Hoep...
Resource DISCOvery Services: Beyond the Blurb. Opening Keynote by Athena Hoep...
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Dr. Shibblove, or How I learned to Stop Worrying and Implement Single Sign-On

  • 1. How I Learned to Stop Worrying and Implement Single-Sign On Dr. Shibblelove or LITA Forum | Minneapolis, MN | 12-15 November 2015 Athena Hoeppner Adam Traub University of Central Florida University of Rochester
  • 3. Authentication Part I Service Provider Canvas HEY UCF SHIBBOLETH, CHECK THIS GUY FOR ME. HI CANVAS. I’LL CHECK HIS CREDENTIALS. ANSWER THIS OR YOU SHALL NOT PASS!
  • 4. Authentication Part II HI UCF IDENTITY PROVIDER DO YOU KNOW A GUY WITH THESE CREDENTIALS I KNOW EVERYTHING ABOUT HIM… WELL, NOT AS MUCH AS GOOGLE. BUT I’LL ONLY TELL YOU WHAT YOU ARE ALLOWED TO KNOW. LDAP Identity Provider SAML Security Assertion Markup Language https://www.samltool.com/generic_sso_res.php I CAN AUTHENTICATE HIM. HERE IS HIS NAMEID AND SOME ASSERTIONS.
  • 5. Authorization THESE ASSERTIONS TELL YOU SOME OF HIS ATTRIBUTES AND FACULTY GET EXTRA PERMISSIONS. ABOUT THAT GUY.. HIS NAMEID IS JOHND, AN AUTHENTICATED UCF EDUPERSON WITH PRIMARYAFFILIATION FACULTY OK. USERS WITH THOSE ATTRIBUTES ARE AUTHORIZED ACCESS FOR
  • 6. Login: A User’s Perspective HERE’S YOUR PAGE. …AND HAVE A COOKIE HE GETS AN IDP COOKIE, TOO.
  • 7. "Saml2-browser-sso-redirect-post". Licensed #/media/File:Saml2-browser-sso-redirect-post.pngunder CC BY-SA 3.0 via Wikipedia - https://en.wikipedia.org/wiki/File:Saml2-browser-sso-redirect-post.png
  • 10. Entity and Service Examples ID Providers (IdPs) EntityIDs: Unique Identifiers UCF LDAP https://auth.yale.edu/idp/shibb Service Providers (SPs) http://qapub1.imodules.com/sp UCF ACTIVE DIRECTORY UCF CANVAS UCF HR SUBSCRIPTION DATABASE
  • 11.
  • 13. Lynda’s Tale • Previously logged in via IP • Couldn’t tell who was using it • Shibboleth already used for other campus services • Shibb login allows users to track progress
  • 14. HathiTrust’s Tale • Membership requirements: • Academic and research Institution • Paid fee • Shibboleth for authentication • Benefits: • Complete PDF download • Access to in-copyright material if owned by university
  • 15. Ezproxy’s Prologue • IP authentication widely used by vendors • Existed separately from campus federated ID and single sign on • Familiar to users • Extend campus single sign-on experience for database and journal access
  • 17. Functional Anecdote E-Res Librarian Role: Cheerleader; Project Manager; Requirements Co-Creator Library IT Role: Facilitator; Co-Creator; Internal Advisor Central IT Role: Shibboleth Admin; Attribute Mapper Vendor IT Role: Service Provider; External Advisor
  • 18. Key Attributes An attribute is simply a name-value pair providing single piece of information. Some subset of all attributes defines a unique individual.
  • 19. Shibboleth and EduPerson EduPerson Schema • Supports LDAP Environments • Familiar Attributes CommonName Surname/Family Name Email UserID “Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries.” I have one of each of those attributes!
  • 20. EduPerson Schema - Affiliations eduPersonAffiliation “broad category affiliations” Examples:  Faculty Staff Student  Alum  Employee Member Affiliate Library-Walk-in I graduated from this place AND I work here as Faculty!
  • 21. EduPerson Schema - Affiliations eduPersonPrimaryAffiliation “Think of this as the affiliation one might put on the name tag if this person were to attend a general institutional social gathering.” • Must also appear in eduPersonAffiliation  Faculty (mostly)
  • 22. EduPerson Schema - Affiliations eduPersonScopedAffiliation “Specifies the person's affiliation within a particular security domain in broad categories.” HathiTrust requires Scoped Affiliation Example: What is Athena’s affiliation to UCF, as translated by HathiTrust? faculty@ucf.edu
  • 23. Gollum the Freshman LDAP Precious wants your database. Do you know this person? 2 I need you to login. 3 1 That’s Gollum; he’s a student. 5 Ugh. Here you go, Gollum. 6UN Precious; PW: Precious 4
  • 24. Frodo the Alumnus LDAP I’d like to use your database. Do you know this person? 2 I need you to login. 3 1 4 That’s Frodo; he’s an alum. 5 Your license doesn’t allow alum access. 6 UN Fbaggins; PW: i<3Sam
  • 25. Saurman the Forgetful (or Malicious) LDAP I’d like to use your database. Do you know this person? 2 I need you to login. 3 1 I have no idea who this is 5 Not with that attitude (or login) you won’t. 6 UN: SauronRules; PW: friend? 4
  • 28. Chocolate and red wine–A comparison between flavonoids content FA Pimentel, JA Nitzke, CB Klipel, EV de Jong - Food chemistry, 2010 - Elsevier ... Cocoa has also been described as being a good source of flavonoids, such as catechins. ... Based on this, the present study was carried out to compare flavonoids content of different types of red wine and chocolate and to suggest a daily chocolate ingestion dose that could ... WHOA!! THIS ARTICLE IS PERFECT!
  • 29. You are a Guest. Sign In Chocolate and red wine–A comparison between flavonoids content FA Pimentel, JA Nitzke, CB Klipel, EV de Jong - Food chemistry, 2010 - ElsevierOH NO… I DON’T HAVE AN ELSEVIER LOGIN! BUT THE MORDOR UNIVERSITY LIBRARY SHOULD HAVE THIS…
  • 30. Where Are You From? I don’t even know where to begin checking his credentials. Better make small talk… So… where are you from?
  • 31. Where Are You From Region or Federation: Institution: Nazgul Group Mordor Choose your region or group and institution below to login. THIS SHOULD GET ME ACCESS.
  • 32. WAYF Authentication SAURAN LDAP Do you know this person? 4 LOGIN. 5 THAT’S NAZGULKING; HE’S SAURAN’S LIUTENANT. 7 OK. Read up! Where Are You From? I’m with the Nazgul! 2 3 8 I DEMAND THE ARTICLE ON CHOCOLATE AND WINE! UN: NAZGULKING; PW: IMMORT@L 6 1
  • 34. Ezproxy as a Shibboleth Service Provider
  • 35. Library Vendors in InCommon Federation: • Hathi Trust • EBSCOhost • ProQuest • EBL • Elsevier • JSTOR • …and many more https://spaces.internet2.edu/display/incli brary/targetresources https://spaces.internet2.edu/display/inclibr ary/registryofresources Enable Please!! They get our ENTITYid, and the eduPERSON assertation. OK
  • 36. InCommon Best Practices for Libraries Implement authorization via eduPerson attributes Shibboleth enable EZproxy Implement WAYFless URLs Implement authenticated direct links to resources. • Use Shibboleth-Ready Ezproxy Starting point URLs https://spaces.internet2.edu/display/inclibrary/Best+Practices
  • 37. EZproxy config.txt #### Shibboleth Stuff ShibbolethDisable 1.3 ShibbolethMetadata -EntityID=LibraryEZProxy -File=ucf-prod-metadata.xml -Cert=4 C -URL=https://idp-prod.cc.ucf.edu/idp/shibboleth
  • 38. Shibuser.txt EZproxy Admins if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq "LibITGuy@ucf.edu"; Admin Deny Access to Problem Users if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq “BadUser@ucf.edu"; Deny Set EZproxy username to UCF ID set login:loguser = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  • 39. Attribute Summary Table Friendly Name Formal Names eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eduPersonEntitlement urn:oid:1.3.6.1.4.1.5923.1.1.1.7 eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 sn urn:oid:2.5.4.4 givenName urn:oid:2.5.4.42 displayName urn:oid:2.16.840.1.113730.3.1.241 mail urn:oid:0.9.2342.19200300.100.1.3 InCommon Federation Attribute Summary https://www.incommon.org/federation/attributesummary.html
  • 40. Shibuser.txt Revisited if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq "LibITGuy@ucf.edu"; Admin if auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq “BadUser@ucf.edu"; Deny set login:loguser = urn:oid:1.3.6.1.4.1.5923.1.1.1.6 if eduPersonPrincipalName equals thisperson then give them admin rights if eduPersonPrincipalName equals thisperson then deny them access Set login to user’s eduPersonPrincipalName
  • 41. EZproxy Shibb URLs • EZproxy Starting Point URLs https://login.ezproxy.net.ucf.edu/login&url= • Shibbolized https://login.ezproxy.net.ucf.edu/login?auth=shibb &url= • UCF Deployed in: • SFX • EBSCOhost Discovery • LibGuides and Database list
  • 42. Too Permissive! Current students Faculty Employees Alumni Previous students Department network accounts… YIKES!!! LDAP Everyone I know is an EduPerson! That’s good enough for me. EZproxy
  • 43. Common Library Entitlements Based on this doc, Implementing the Shibboleth - EZproxy Hybrid - InCommon, I think we need to add this to our shibuser.txt: If !(auth:urn:mace:dir:attribute- def:eduPersonEntitlement eq "urn:mace:dir:entitlement:comm on-lib-terms"); Deny I assume that our IdP is set up with the standard common-lib-terms entitlements. If not, then we should ask Matt and his crew to add it.
  • 44. common-lib-terms The common-lib-terms entitlement value represents the members of an institution that are included in the terms of typical library contract with a library resource provider. Nope
  • 45. Getting EZProxy Out of the Way • Challenges • Out-dated EZProxy links • Leverage service provider Shibb support • SPUEdit • “Rarely used directive” • Best Practice HERE…LET ME FIX THAT FOR YOU… https://www.incommon.org/library/docs/Best_Practices.pdf
  • 46. Summary • Shibboleth enables • Single sign on across institution and federation services • Seamless user experience • Customized services based on attributes, • Personalized services for individuals, • Anonymity • Requires collaboration: • Campus IT • Library IT • eResources Librarians • Works with and expands on Ezproxy, IP-based, authentication Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb! Shibb!
  • 47. Additional Resources Implementation Info • InCommon Library Collaboration • Registry of Resources • Shibb Training • Shibb – EzProxy Hybrid Vendor Specific Info • EZProxy • EBSCO • ProQuest • JSTOR • ACM • Elsevier • Ovid • Project Muse • Thomson
  • 48. Glossary • Assertion - The identity information provided by an Identity Provider to a Service Provider. • Attribute - A single piece of information. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name and enrollment. • Attribute statement: asserts that a subject is associated with certain attributes. An attribute is simply a name- value pair. Relying parties use attributes to make access-control decisions. • Authentication statements: statement that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. • Authorization decision statement: asserts that a subject is permitted to perform action A on resource R given evidence E. • eduPerson - An LDAP object class to facilitate inter-institutional applications • Provider url, and the network administrator. • EntityID - ID that identifies an enterprise in a federation. Usually a URL that points to an XML file of info about the entity, such as the ID • Federated identity - management of identity information between members of a federation. • Identity Provider (IDp) - The system that authenticates an entity • Security Assertion Markup Language (SAML, pronounced sam-el) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. (Wikipedia) • Service Provider (Sp) - makes online resources available to users based in part on information about them that it receives from other InCommon participants. • Where Are You From (WAYF) - A server used by the Shibboleth software to determine what a user's home organization is. • http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#SAML_Assertions
  • 50. Thank you! Athena Hoeppner, UCF Adam Traub, UR

Editor's Notes

  1. I serve on the campus IT advisory group. One of the faculty on the committee reported wide-spread frustrations with using EZproxy. They complained that they routinely log in to VPN, used links in emails and RSS feeds and on the open web,…
  2. Slide to show two various “business cases” for Shibboleth integration Lynda Reasons Previously logged in via IP in “seat-model;” which went away and site-license required login regardless of location. (Think B24x7) Anon: couldn’t tell who was using it, but the art folks were paying the bulk of the cost in cost-sharing (though we suspected use was widespread) Other campus services (outside the library) were using Shibboleth (Course Management Software/Gmail) Logged In: Know who is using it (generally reported in aggregate), allows users to track their own progress (as well as super-users tracking progress of “students” or staff) Bonus High Demand Resource; no longer anon users Smoother login process (campus uses Shibb for mail and LMS) Individuals can track and save their progress in long courses Integration with course assignments (power users)
  3. HathiTrust Reasons HathiTrust – not completely Open Access Membership Requirements: Academic and research institutions Submission of information about print holdings. $$ Fee Shibboleth 102 partner institutions listed on the Community page - colleges, universities, and 3 consortia Academic and research institutions.
  4. Examples taken from eduPersonAffiliation controlled vocabulary (aka “permissable values”): https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonAffiliation If Shibboleth is the software that allows single-sign on from Blackboard to EZProxy, EduPerson is the schema that allows that ability to be applied outside the institution so you can go directly from Blackboard to a library database
  5. Examples taken from eduPersonAffiliation controlled vocabulary (aka “permissable values”): https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonAffiliation
  6. In this example, if two institutions had identical licenses that allowed access for faculty, but not staff, it might play out like this: At UCF, Athena is considered faculty; so her “ScopedAffiliation” in regards to HathiTrust should be “faculty,” authorize Athena to use HathiTrust At UR, Adam is considered staff; so his “ScopedAffilition” in regards to HathiTrust should be “staff,” not authorize Adam To use HathiTrust (block access)
  7. Diagram template adapted from UFL: http://identity.it.ufl.edu/technical/shibboleth-docs/data-flow/
  8. Diagram template adapted from UFL: http://identity.it.ufl.edu/technical/shibboleth-docs/data-flow/
  9. Diagram template adapted from UFL: http://identity.it.ufl.edu/technical/shibboleth-docs/data-flow/
  10. Diagram template adapted from UFL: http://identity.it.ufl.edu/technical/shibboleth-docs/data-flow/
  11. Diagram template adapted from UFL: http://identity.it.ufl.edu/technical/shibboleth-docs/data-flow/
  12. Most publishers and database vendors are not members of InCommon Federation Ergo, they don’t have EntityIDs and can’t be SPs. IP authentication widely used What’s an eResouces Librarian to do? Shibbolize Ezproxy!
  13. There are great guides on Internet2. Register EZproxy as a SP Entity on your campus Set up attributes will be released to EZproxy Identify the roles that are authorized to use the service Add code to EZproxy config Modify startingpoint URLs I chose not to implement WAYFless URLs. They would be similar to EZproxy starting point URLs. They would bypass the WAYF menus. From my perspective, they do not eliminate the need to maintain EZproxy configurations. Many library vendors do not participate in the InCommon Federation. Links from the Shibb authorized site would not necessarily go to shibb sites, so authentication would drop.
  14. https://www.incommon.org/library/docs/Best_Practices.pdf Shib/EZProxy Hybrid compliance
  15. Why Libraries (why not just campus IT?) Understand who should have access and who should NOT have access Know vendors who can be SPs Imagine nifty things that shibboleth could do for us