...
It is also not very easy to have a complete list of Request Initiator from service providers in the library domain.
Configuring the IP-based Authentication plugin for the Shibboleth IDP to include Library Walk in users
IP based authentication for library walk in users is based on the usage of the Shibboleth IP handler ( plugin for Shib IDP) : in our instance we configured the Shibboleth login to cache the IP of the caller, the calling user: this IP is first checked against a list of IPs:
We therefore first chose our own networks. For the people in “our local networks” , when clicking on the Shibboleth login, they do not see the username/password page: it is hidden to them - if their IP address belongs to a specific set of networks (recognized as “good ones”), the user is set as recognized as a library-walk-in user, eduPersonScopedAffiliation is set to “library walk-in”. ( ePSA = ‘walk-in-user@institution-X’ ).
This is of course implemented only for library walk in users : people belonging to an authorized networks do not need to login.
In case one configures both IP-handler and user/name -password handler the Shibboleth IDP uses a sequential approach : it falls back to the login page if the user IP is not in the list. ( one can configure a sequence of login handlers to be tried out at login phase).
Mapping to the Blue print architecture
Overall, framed in the context of the Blueprint reference common Architecture defined by AARC JR1, the architectural layers and functional bits involved in the implementation of library pilot n. 1 based on the Access Mode Switch provided by EZproxy and additional components are the following ones, as shown by figure 6 below:
IP based authentication (User Identity layer)
SAML Federated Identity Provider (User Identity layer)
EZproxy access mode switch (Translation layer)
Publishers’ endpoint (both IP and Fed ) (End Services)
Figure 6: Architectural components implemented by Library pilot n.1 (Access Mode Switch)