library-walk-in

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

library-walk-in

Jerry Shipman
Hello,

Someone in our library asked me about this issue -- I couldn't really think of a good solution, so thought I'd ask around and see if anyone else had come up with anything. (I haven't looked into it very much - my apologies if I'm asking a stupid question.)

We have a use case where members of the public (i.e. unaffiliated folks without accounts) should be able to make use of our library services when they come on campus. This has (over the past several years) come to include access to e.g. online journals. I think that we're currently accomplishing this by a sort of IP whitelist where the online journal vendor doesn't prompt for authentication when requests come in from our library's network.

I guess that some of the vendors are trying to move away from doing this kind of thing, to e.g. SAML authentication for everybody.
I remember noticing the "library-walk-in" value in the eduPersonAffiliation spec (maybe: https://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html#eduPersonAffiliation ). So it seems like somebody has put some thought into this use case in the past.

But I can't imagine how to implement something like that?

The best thing I can picture is that maybe we could somehow configure our IdP such that when users log in from certain IPs on a list of library terminals, to certain SPs on a list of online library services, we don't even ask them to log in, but instead just send over a minimal assertion with e.g. a transient nameId and a eduPersonAffiliation:library-walk-in, and that's it. But the rest of the transactions (from non-library IPs or to non-library SPs) continue go through the normal login page process and get a more verbose assertion. I don't even know if it's possible to implement that?

I guess that I think the best solution is to keep the IP whitelist so that nobody on campus is asked to log in when they access these online library resources, and use the SAML authentication for off-campus access. This is basically what we're doing now, so we wouldn't change anything. But I sort of got the impression from my conversation that this option may be at risk of disappearing. (I didn't look into it very much.)

What do you think? Is there a standard or good approach to this issue?

Thank you,
Jerry

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: library-walk-in

Cantor, Scott E.
On 8/10/18, 9:16 AM, "users on behalf of Jerry Shipman" <[hidden email] on behalf of [hidden email]> wrote:

> I don't even know if it's possible to implement that?

Yes, it's possible. That was the use case in a nutshell.

> I guess that I think the best solution is to keep the IP whitelist so that nobody on campus is asked to log in when they
> access these online library resources, and use the SAML authentication for off-campus access. This is basically what
> we're doing now, so we wouldn't change anything. But I sort of got the impression from my conversation that this
> option may be at risk of disappearing. (I didn't look into it very much.)

I doubt it, but that's the reason SAML-based access can never be successful. As long as people keep using IP, that will always win. It's frictionless and simple. Any login is not, no matter what the protocol is. As soon as federated access becomes "special", it loses out. People view these sorts of dual paths as a transition aid, but they aren't, they actually prevent any progress because what's there is good enough.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]