Notes: Conference call 10-9-09
Vendor subgroup minutes
Attendees:
Jonathan Lavigne, Stanford
Fred Zhang, Michigan State
Andy Ingham, UNC
David Kennedy, Duke
Don Hamparian,OCLC
notes - kennedy
AGENDA
Pre-reading:
https://spaces.at.internet2.edu/display/inclibrary/Best+Practices
https://spaces.at.internet2.edu/display/inclibrary/RegistryOfResources
Introductions
- including brief overview of InCommon Library Services Collaboration
OCLC
- overview of Shibboleth implementation
- usage of Shibboleth SP software (SessionInitiators?)
- implementation of WAYFless URLs and direct links to resources
- what has or hasn't worked
- future plans
Implementation-specific questions/comments
- When using ezproxy, library can construct a link to go directly to the database to start a search; the url looks like:
http://firstsearch.oclc.org/dbname=AGRICOLA
When using oclc shib wayfless url, the dbname attribute is not available, so the default db on first search is always defaulting to worldcat
- eduPersonEntitlement - OCLC requires customer specific string to be coded in edupersonentitlement. This implementation does not use the 'standard' value of common-lib-terms. Also, for some IdP implementations, this value is also shared with other service providers. Can this be changed to use 'common-lib-terms'?
Topics for discussion:
Best Practices
- are these feasible for resource providers
- do these make sense
- thoughts on how to go about making this best practice amongst resource providers
What role should InCommon or the InCommon Library Services Collaboration play?
- policy setters
- documenters
- testers
- implementation documentation/assistance
Is there a desire/need for standardization across federation members' identity provider implementations that would simplify the process for resource providers' configurations?
What are we missing, especially things that you have learned from dealing with other federations besides InCommon?
NOTES FROM DISCUSSION
Kennedy gave an overview of InCommon Library Services Collaboration and vendor subgroup activities
OCLC history and implementation
OCLC has been using Shib with FirstSearch for about 3 years. Started on SP 1.3. In the 1st year or two, they saw only about 10 Shibboleth logins per year. In the last 4-6 months, this has grown steadily. A big driver in this growth is the switch in the UK from Athens to Shib.
OCLC supports many authentication mechanisms: IP, user/pass, referring URL, Athens and Shib (Shib being last on the list). But they are getting serious about it now at the right time.
OCLC is developing a new content platform with a new IDM infrastructure, that will be natively SAML-based. The new content platform will initially have no Shibboleth support. That will be coming in the next calendar year. When shibboleth-enabled, it will initially be aware of the institution context and not aware of an individual's identity; this will be a later development. So, the new IDM platform will not be able to seamlessly integrate institutional logins with WorldCat personal accounts. The plan for FirstSearch is for its services to be available in the new platform, that the new platform will be a replacement platform for the current FirstSearch platform.
Implementation questions
Asked some specific implementation questions from the agenda:
OCLC was not aware of the dbname error, and Don will put it on their list.
Also, OCLC is aware of the eduPersonEntitlement blocker. They have not yet worked through the workflow. The way in which their current identity management structure works, logins must get associated with 'authos', or rights profiles, in order to correctly authorize a user for access to content. The way in which this works with their use of Shibboleth is that the appropriate 'authos' value needs to be delivered via the eduPersonEntitlement attribute. This is in place because there are several customers that have multiple authos for a single institution.
Hosted ILLiad
There is one hosted ILLiad instance in test now that is Shibboleth-enabled. There is a second test instance lined up.
Best practices #1 - Attributes
With the current implementation, this is not possible for FirstSearch. Since institutions may have multiple rights profiles (some institutions have 30-40 rights profiles), not possible to have one attribute that represents the common-lib-terms campus community. With the best practices document, certain things have to be a given - that licenses fall under "common library terms". And non-standard licenses wouldn't fall under the same given premise. With the best practices, maybe we (vendors and institutions) need to rethink how we do things.
Looking at the immediate and moving forward, Hamparian discussed some strategies for transitioning from multiple authos into the new IDM structure.
Best practices #2 - WAYFless urls
OCLC currently supports IdP SSO style. It was noted that the SessionInitiators solution is the preferred or more elegant solution.
Best practices #3 - Authenticated direct links to resources
Not sure if this is implemented
Conversation continued on the discussion of rights profiles. And we agreed that the conversation could continue on in email.