[Fim4l] Federated access - Walk-In

Peter Schober peter.schober at univie.ac.at
Tue Feb 25 15:58:19 CET 2020

* Rhys Smith <Rhys.Smith at jisc.ac.uk> [2020-02-25 12:20]:
> The eduPersonScopedAffiliation attribute has a value to cover this already - “library-walk-in”
> How that might work in practice is that the library could give those
> users who visit an account that asserts that particular
> attribute/value, or if you have open access workstations, configure
> the SAML IdP to automatically authenticate that IP address as a
> particular shared user that asserts that particular
> attribute/value.

What Rhys said.

A complete technical write-up of doing the latter with the Shibboleth
can be found here:
While you may not be interested in some of the implementation details
there's also a bit of text on the principle and its limitations, e.g.:

> All subjects mapped to a given "user" will apear as one
> For the reason given above (subjects who don't authenticate with
> personal credentials at the IDP cannot reliably be identified by the
> IDP merely based on an IP address) the IDP cannot assert identities
> that differ (or rather: remain unchanged) per subject, as it has no
> way of knowing whether a given IP address still represents the same
> subject as moments before.


More information about the FIM4L mailing list