From Andy Ingham (University of North Carolina-Chapel Hill)
UNC-Chapel Hill has run EZproxy in production for many years. We are planning to Shibbolize our EZproxy in early May 2009. Our campus computing group (ITS) is supporting the IdP and the Library will continue to run the EZproxy software as it shifts to Shibboleth.
Our main problems relating to EZproxy authentication include:
- some legitimate users (in our ILS's "patron db") are NOT represented in the ITS (campus level) user database
- some legitimate users are ONLY in a THIRD data source (neither the ITS user database NOR the "patron db")
- certain user ATTRIBUTES (for users that ARE in the ITS database) are available ONLY in our "patron db"; this will continue to require a "secondary" lookup for authorization purposes AFTER authentication against the ITS IdP
From Tim Mori (North Carolina State University)
One of the issues we deal with at the library here at NC State is having a large database of non-campus users, i.e. Friends of the Library members, who require a separate authentication path. People who join our FoL organization receive library privileges and in order to provide this, these users have been entered into our ILS system (Sirsi-Dynix Unicorn). As a result we have a few thousand accounts for which we have to provide a login method.
Our campus authentication system provides something similar to Shib's Where Are you From functionality. Users can select an affiliation, one of which is "library patron". At that point they're routed to a form on our web server that allows them to enter information that is looked up in our ILS system and subsequently a cookie is sent flagging them as authorized.
The major problem is that the accounts are just in the ILS, there's no directory system for them. We would have to either come up with a Shibbolized method of authenticating this group of users (currently it's a simple SQL lookup in the database via PERL), or I'd need to figure out how to dump out all the user accounts and import them into a directory server that Shib can access.
Another wrinkle that's added to this problem is that some electronic resources are restricted to students, faculty, and staff. We have to prove to our vendors that FoL members and/or walk-ins cannot access these resources. It appears that EZProxy should be able to handle groups of people and restrict resources based on groups, but I don't know if this functionality could be used by Shibboleth.