Federated access - Walk-In
Dear all,
Many libraries can, as part of their agreement with a publisher, provide access to subscribed publications to users that visit the premises. That's easy enough when the library has IP address access configured with the publisher.
Has anyone given any thought to how that would work with federated access, where libraries don't use IP address authentication?
And if yes, are there any thoughts or tips to be shared?
Thanks, Meshna
Meshna Koren
Associate Product Manager Product Management - Identity and Access - Research Products
Elsevier BV Radarweg 29, Amsterdam 1043 NX, The Netherlands m.koren@elsevier.commailto:m.koren@elsevier.com
Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login
________________________________
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
The eduPersonScopedAffiliation attribute has a value to cover this already - “library-walk-in”
How that might work in practice is that the library could give those users who visit an account that asserts that particular attribute/value, or if you have open access workstations, configure the SAML IdP to automatically authenticate that IP address as a particular shared user that asserts that particular attribute/value.
It’s then up to the publisher to make the authorisation decision about whether a library-walk-in is allowed access to that particular resource.
If you just google “library-walk-in SAML” you should find some resources describing that above. I think GÉANT have some docs around some work they’ve done in this area.
Best, Rhys. -- Dr Rhys Smith Chief Technical Architect, Trust & Identity Jisc
T: +44 (0) 1235 822145 M: +44 (0) 7968 087821 Skype: rhys-smith GPG: 0x4638C985
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
On 25 Feb 2020, at 11:15, Koren, Meshna (ELS-AMS) M.Koren@elsevier.com wrote:
Dear all,
Many libraries can, as part of their agreement with a publisher, provide access to subscribed publications to users that visit the premises. That's easy enough when the library has IP address access configured with the publisher.
Has anyone given any thought to how that would work with federated access, where libraries don't use IP address authentication?
And if yes, are there any thoughts or tips to be shared?
Thanks, Meshna
Meshna Koren
Associate Product Manager Product Management - Identity and Access - Research Products
Elsevier BV Radarweg 29, Amsterdam 1043 NX, The Netherlands m.koren@elsevier.com
Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l
Hi Meshna.
For this our library provides a day pass, a "Library service card". One needs to go to the library desk to register and to show identification card etc. Then a password is set and given. The account authenticates for our e-resources like a student account. Quite some security rules apply here and the password is reset at the end of the session. We don't use the additional "library-walk-in" attribute as far as I know, which is a nicer solution. At least for you to recognize walk-in users.;) And if a publisher demands it to let it be known, then we need to use this attribute.
best, Jos
On 25/02/2020, 12:20, "FIM4L on behalf of Rhys Smith" <fim4l-bounces@lists.daasi.de on behalf of Rhys.Smith@jisc.ac.uk> wrote:
The eduPersonScopedAffiliation attribute has a value to cover this already - “library-walk-in”
How that might work in practice is that the library could give those users who visit an account that asserts that particular attribute/value, or if you have open access workstations, configure the SAML IdP to automatically authenticate that IP address as a particular shared user that asserts that particular attribute/value.
It’s then up to the publisher to make the authorisation decision about whether a library-walk-in is allowed access to that particular resource.
If you just google “library-walk-in SAML” you should find some resources describing that above. I think GÉANT have some docs around some work they’ve done in this area.
Best, Rhys. -- Dr Rhys Smith Chief Technical Architect, Trust & Identity Jisc
T: +44 (0) 1235 822145 M: +44 (0) 7968 087821 Skype: rhys-smith GPG: 0x4638C985
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
> On 25 Feb 2020, at 11:15, Koren, Meshna (ELS-AMS) M.Koren@elsevier.com wrote: > > Dear all, > > Many libraries can, as part of their agreement with a publisher, provide access to subscribed publications to users that visit the premises. That's easy enough when the library has IP address access configured with the publisher. > > Has anyone given any thought to how that would work with federated access, where libraries don't use IP address authentication? > > And if yes, are there any thoughts or tips to be shared? > > Thanks, > Meshna > > > > Meshna Koren > > Associate Product Manager > Product Management - Identity and Access - Research Products > > Elsevier BV > Radarweg 29, Amsterdam 1043 NX, The Netherlands > m.koren@elsevier.com > > Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login > > > > > Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands. > > _______________________________________________ > FIM4L mailing list > FIM4L@lists.daasi.de > http://lists.daasi.de/listinfo/fim4l
_______________________________________________ FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l
* Rhys Smith Rhys.Smith@jisc.ac.uk [2020-02-25 12:20]:
The eduPersonScopedAffiliation attribute has a value to cover this already - “library-walk-in”
How that might work in practice is that the library could give those users who visit an account that asserts that particular attribute/value, or if you have open access workstations, configure the SAML IdP to automatically authenticate that IP address as a particular shared user that asserts that particular attribute/value.
What Rhys said.
A complete technical write-up of doing the latter with the Shibboleth can be found here: https://wiki.univie.ac.at/display/federation/IP-Authentication While you may not be interested in some of the implementation details there's also a bit of text on the principle and its limitations, e.g.:
All subjects mapped to a given "user" will apear as one
For the reason given above (subjects who don't authenticate with personal credentials at the IDP cannot reliably be identified by the IDP merely based on an IP address) the IDP cannot assert identities that differ (or rather: remain unchanged) per subject, as it has no way of knowing whether a given IP address still represents the same subject as moments before.
HTH, -peter
Hi Meshna.
Do you know https://wiki.geant.org/display/AARC/Libraries+walk-in-user+pilot ? There should be more on https://aarc-project.eu/libraries/ , but my FF is blocking access due to a certifcate problem; i'm looking who to report this to as to resolve it ;-).
Kindest regards,
Raoul.
On 25-02-2020 12:15, Koren, Meshna (ELS-AMS) wrote:
Dear all,
Many libraries can, as part of their agreement with a publisher, provide access to subscribed publications to users that visit the premises. That's easy enough when the library has IP address access configured with the publisher.
Has anyone given any thought to how that would work with federated access, where libraries don't use IP address authentication?
And if yes, are there any thoughts or tips to be shared?
Thanks,
Meshna
**
*Meshna Koren***
/Associate Product Manager/
*/Product Management - Identity and Access/**/- /**/Research Products/**//*
*//*
*/Elsevier BV/*//
/Radarweg 29, Amsterdam 1043 NX, The Netherlands/
/m.koren@elsevier.com mailto:m.koren@elsevier.com/
//
/Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login/
//
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l
Hi,
The alternative link for AARC being https://aarc-community.org/libraries/ does work.
Best regards, Maarten
On 25 Feb 2020, at 13:04, Raoul Teeuwen raoul.teeuwen@surfnet.nl wrote:
Hi Meshna.
Do you know https://wiki.geant.org/display/AARC/Libraries+walk-in-user+pilot ? There should be more on https://aarc-project.eu/libraries/ , but my FF is blocking access due to a certifcate problem; i'm looking who to report this to as to resolve it ;-).
Kindest regards,
Raoul.
On 25-02-2020 12:15, Koren, Meshna (ELS-AMS) wrote:
Dear all,
Many libraries can, as part of their agreement with a publisher, provide access to subscribed publications to users that visit the premises. That's easy enough when the library has IP address access configured with the publisher.
Has anyone given any thought to how that would work with federated access, where libraries don't use IP address authentication?
And if yes, are there any thoughts or tips to be shared?
Thanks, Meshna
Meshna Koren
Associate Product Manager Product Management - Identity and Access - Research Products
Elsevier BV Radarweg 29, Amsterdam 1043 NX, The Netherlands m.koren@elsevier.com
Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
FIM4L mailing list
FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l
FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l
Teilnehmer (6)
-
Jos Westerbeke -
Koren, Meshna (ELS-AMS) -
Maarten Kremers -
Peter Schober -
Raoul Teeuwen -
Rhys Smith