
* Rhys Smith Rhys.Smith@jisc.ac.uk [2020-02-25 12:20]:
The eduPersonScopedAffiliation attribute has a value to cover this already - “library-walk-in”
How that might work in practice is that the library could give those users who visit an account that asserts that particular attribute/value, or if you have open access workstations, configure the SAML IdP to automatically authenticate that IP address as a particular shared user that asserts that particular attribute/value.
What Rhys said.
A complete technical write-up of doing the latter with the Shibboleth can be found here: https://wiki.univie.ac.at/display/federation/IP-Authentication While you may not be interested in some of the implementation details there's also a bit of text on the principle and its limitations, e.g.:
All subjects mapped to a given "user" will apear as one
For the reason given above (subjects who don't authenticate with personal credentials at the IDP cannot reliably be identified by the IDP merely based on an IP address) the IDP cannot assert identities that differ (or rather: remain unchanged) per subject, as it has no way of knowing whether a given IP address still represents the same subject as moments before.
HTH, -peter