This pilot demonstrated the use of a dedicated, IP-address based IdP. The pilot service has some distinctive features:
- It is for use only by walk-in users
- It is authenticated only by IP addresses
- It is managed by library staff via a web-based admin interface
- Library staff access the administration interface using their own institutional credentials
- Changes to the configuration for access control are available immediately.
- The IdP can can be run for one organisation or for many, as a shared service. It can be shared by a group of institutions in the same region, or even at a national federation level.
Authentication and User Attributes
Scopes must be configured in the SPs SP's metadata to be accepted: basic security checks in most SPs prevent IdPs from using arbitrary scopes.
Most academic eresources are configured to permit access according to licence agreements by matching the licensee's entity ID to supplied attribute data. As the shared IdP in the pilot has a new entity ID that is potentially shared by many organisations, each SP must configure access for each user of the shared IdP by checking against both scope and entity ID.
: An Example User
Andy Walker is a journalist and external guest at University One. He does not have an IT account but he does have walk-in access to the University library.
Barbara Jensen is a librarian at University One.
Andy is writing a newspaper article about dogs living on boats, and he visits University One's library to do some research.
He attempts to access a suitable photo archive using a university terminal for walk-in users.
|3.||However, he's blocked - the site requires Shibboleth authentication and he does not have an account.|
He reports this to Barbara at the library support desk and asks for help.
Barbara knows that University One has access to a special IP address-based IdP and that it has access to the archive, so she decides to add the terminal Andy that is using.
Barbara visits the administration page for the IdP, and logs in with her University One credentials.
She adds the IP address of the terminal. (184.108.40.206)
Barbara then asks Andy to try again, and to use the IPA IdP.
|6.||Andy returns to the terminal and tries again - and this time he can log in to the eResource. He is now able to do research for his article.|