Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is also  not very easy to have a complete list of Request Initiator from service providers in the library domain.

Configuring the IP-based Authentication plugin for the Shibboleth IDP to include Library Walk in users

IP based authentication for library walk in users is based on the usage of the Shibboleth IP handler ( plugin for Shib IDP) : in our instance we configured the Shibboleth login to cache the IP of the caller, the calling user: this IP   is first checked against a list of IPs:

We therefore first chose our own networks. For the  people in “our local networks” ,  when clicking  on  the Shibboleth  login, they do not see the username/password page: it is hidden to them - if their  IP  address belongs to a specific set of networks (recognized as “good ones”), the user is set as recognized as a library-walk-in user, eduPersonScopedAffiliation is set to “library walk-in”. ( ePSA = ‘walk-in-user@institution-X’ ).

This is of course  implemented only for library walk in users : people belonging to an authorized networks do not need to login.  

In case one configures both IP-handler and user/name -password handler  the Shibboleth IDP uses a sequential approach :  it falls back to the login page  if the user  IP is not in the list. ( one can configure a sequence of login handlers to be tried out at login phase).

 

Mapping to the Blue print architecture     


Overall, framed in the context of the Blueprint reference common Architecture defined by AARC JR1, the architectural layers and functional bits involved in the implementation of library pilot n. 1 based on the Access Mode Switch provided by EZproxy and additional components  are the following ones, as shown by figure 6 below:

  • IP based authentication  (User Identity layer) 

  • SAML Federated Identity Provider (User Identity layer) 

  • EZproxy access mode switch (Translation layer)

  • Publishers’ endpoint (both IP and Fed )  (End Services)

odoacre.gifImage Added

Figure 6:  Architectural components implemented by Library pilot n.1 (Access Mode Switch)