Library Walk-in user

a) User authenticates using their campus-issued credentials

  1. (authN via Web SSO) Campus Community Member using public machine in the library User logs in to the machine using their campus issued credentials and a standard desktop login process; this gives them access to their network-based file space, etc, and perhaps other permissions on the desktop machine. They access licensed material, are redirected to the campus IdP, authenticate once, and are redirected back to the resource. Subsequent access to other licensed material does not require additional authentication events.
  2. (authN via Desktop login) Campus Community Member using public machine in the library User logs in to the machine using their campus issued credentials and a standard desktop login process; this gives them access to their network-based file space, etc, and perhaps other permissions on the desktop machine. This also stores a Kerberos ticket in the desktop. They access licensed material, are redirected to the campus IdP, are auto-magically authenticated using SPEGNO/K ticket, and are redirected back to the resource. Subsequent access to other licensed material does not require additional authentication events.
  3. (authN via swiped ID card) Campus Community Member using public machine in the library

b) User authenticated using credentials other than their campus-issued credentials

  1. (Login via IP address)  a walkin user sits at an "open access" machine in the library. No login is required to use the machine. The user attempts to access licensed material, are redirected to the campus IdP, are auto-magically authenticated using the Univ of Washington's mod_auth_location apache plugin (http://staff.washington.edu/fox/authlocation/); it maps an IP address to a user identity (eg GUEST1, which possesses a specific set of permissions, perhaps less than a community member), and are redirected back to the resource.
  2. (Librarian does login for user)  a walkin user sits at an "open access" machine in the library. A library staff member logs them into the machine. The user attempts to access licensed material, are redirected to the campus IdP, are auto-magically authenticated to the Shibboleth IdP using SPNEGO and the desktop credentials,which possesses a specific set of permissions, perhaps less than a community member, and are redirected back to the resource.

a.1. Campus Community Member using public machine in the library (Campus issued credentials)

Anne is a graduate student in Aerospace engineering. She's heard that someone has recently published a paper that is about her area of research. Her lab is in the building next to the university's science library and she decides to walk over.

She sits down at a kiosk machine and starts her search. She isn't interested in the local catalog. She is searching external reference databases because she's not sure the university subscribes to the journal in which the paper was published. Although it is a kiosk machine, when she chooses to search the external databases, she is prompted to authenticate.

The system offers her several authentication methods including a smart card or USB token, a soft certificate, or a username and password. She forgot to bring her token. She doesn't want to install a soft certificate because it is a shared public machine. Instead she simply types in her username and password over TLS/SSL.

She finds the article in a journal published in England and is able to bring up the full text in the browser via the campus EZProxy server.

She starts reading the paper and determines it is very relevant to her work, but doesn't invalidate her work. She mails the text of the article to herself and logs out. She leaves the library to go get a cup of coffee.

a.2. (authN via Desktop login) Campus Community Member using public machine in the library (Campus issued credentials)

Derek is a student. He needs to write a paper for his Network and Computer Security course. Between classes he visits one of the library branches. He isn't carrying his laptop today so he uses one of the kiosk machines.

The Kiosk machine is running a web browser showing the library home page with two authentication buttons on it. Derek knows that if he closes the browser he will be presented with the system login screen, the same system that is used in all of the computer labs on campus.

Derek closes the browser and chooses the computer login option. He logs in using his campus username and password. Once he is logged in has access to his home directory on the distributed file system and he start up his word processor and a browser.

In the browser he navigates to the library site and starts working. He is not prompted to authenticate at the library site. His roaming user profile is set up to transparently authenticate using http-spnego to the campus IdP. Since he is already logged into the desktop and has a TGT he never sees the authentication screen. If he is watching carefully he might see his browser do a quick redirect to the IdP and back when he first starts accessing protected library content.

Derek remembers to logout when he is done. Upon logout, the desktop system re-enters the kiosk mode used by the libraries.


a.3. (authN via swiped ID card) Campus Community Member using public machine in the library (Campus issued credentials)

 Paranoia U. doesn't want their campus users to type in their password on kiosk machines. Nor do they want to pay for USB tokens or smart cards. However, their campus ID cards have a mag stripe, and the library patron ID number for each person is encoded on the mag stripe.

Caroline walks into the library and sits down at a kiosk machine. A browser is running and the home page has two buttons on it. One says, "login using campus ID card". The other says, "all others". Caroline clicks on "login using campus ID card" and the next screen tells her to swipe her ID card in the card reader. The screen shows a simple animation indicating how to do it.

Caroline swipes her card and the browser gets redirected to the catalog system. She can browse the local catalog as well as search remote databases. The kiosk machine also has some locally installed native software. Because she used her ID card to authenticate she is also able to use those applications. "Other" users are not able to execute the locally installed native applications.

Caroline decides that she wants a book that is in the stacks at a branch in a different building. She reserves the book and indicates that she will pick it up at the circulation desk in the other branch.

Later that day Caroline visits the other branch and goes to the circulation desk. She explains that she reserved a book from a kiosk machine in another branch earlier in the day. The librarian asks for her ID card, and finds the book on the nearby shelf for pick ups. She swipes Caroline's card and hands her the book and her card.

 b.1. Login via IP address (no campus issued credentials to the customer)

Igor works at a pathology lab located near the campus. His boss has asked him to learn about the effects of lightning on tissue samples. Although his boss has a great collections of Jacob's ladders and Tesla coils, his research library leaves a lot to be desired. Igor decides to head over to the local university's library to see what he can find.

Igor hasn't brought a laptop with him. He finds a kiosk machine. A browser is running and the home page has two buttons on it. One says, "login using your university account". The other says, "all others". Igor quickly realizes he is an "other" and chooses that button.

Under the covers, the Kiosk machine is simply "authenticated" using its IP address when the "all others" button is clicked.

Igor is now able to browse the local university's resources, and a couple of other remote databases that are licensed for access by walk-in patrons as well as the regular campus community.

He never sees that there are hundreds of other databases accessible to people that login with their camps credentials.

b.2. Librarian does login for user, aka kiosk machine has its own account. (no campus issued credentials to the customer)

Karl works at a local manufacturing company as a mechanical engineer. He is working on a new project that is stretching his current knowledge. He has decided that he needs to catch up on some technology issues. He is not able to access some articles via Google, although he found citations and abstracts that looked appropriate.

He walks into the science library at the nearby university and wants to browse the catalog. He hasn't brought a laptop with him and he find a kiosk machine. There is a browser running, displaying the library's home page. He opens another browser window and repeats his Google search. That provides him with the titles of the papers, the publication and the authors.

He goes back to the browser window displaying the home page of the library system. He enters in the information about the articles. He finds that the library has a book by two of the authors but he can't find the articles.

Karl finds a librarian and explains the situation. The librarian explains that since he is not part of the university, he can't access any of the external databases which the library makes available to the university community, but he can access any of the libraries holdings.

The librarian offers to help Karl with his search. Together they find some articles a thesis that may be relevant. The thesis is in the library storage annex, but it is also available online. Karl indicates that he wants to read the thesis and it is rendered as a PDF file on the kiosk machine.

Karl did not have to authenticate to the storage annex to get access to the thesis. Instead the kiosk machine had its own set of credentials which it used for the authentication.

The kiosk machine used a Kerberos keytab, or a Windows Domain computer account to authenticate.

b.3. customer is a visitor from another school, which is also a member of the InCommon Federation (no local campus credentials issued to the customer)

Virgil from Virginia State is visiting the campus. He is a graduate student studying virology, and is visiting his brother, Vinny, who is a student at the local campus.

Even though it is spring break at Virginia State, Virgil gets an SMS message from his faculty advisor asking Virgil to send him the  citations for the paper that will be submitted for review next week. He also asks Virgil to review the third section of the paper and revise it based on the latest findings from the Stanford team which recently appeared in Nature. Virgil mutters, "Better times perhaps await us who are now wretched." and asks Vinny for directions to the library.

Virgil arrives at the library. The first thing he does is locate a recent copy of Nature with the article from the Stanford team and reads it once again. Next he locates a kiosk machine. The kiosk is running a browser displaying the library home page.

The first thing Virgil does at the kiosk machine is open up a new browser window. He types in the URL to the login page for RefWorks. He chooses to login and gets redirected to the InCommon Federation Discovery Service. He picks Virginia State from the pick list and gets redirected to his IdP. He enters his username and password and gets redirected back to his RefWorks account. He can now see all of the citations that he has collected, and those that he has marked for inclusion in the paper.

In the next browser window he connects to Virginia State's instance of Open Wetware and clicks on the login button. He see the screen briefly redirect to the IdP and back, and now he is logged into the Open Wetware wiki. He navigates to the paper and jumps to section three. He starts to rewrite that section in light of the recent findings published in nature.

He also decides to look at the references listed at the end of the Nature article. He goes back to the library home page and performs some searches. He finds there is a copy of most of the references in the local stacks of this library. He goes and gets them and starts reading them while at the kiosk machine. He finds some good material to help him flesh out the third section. He adds some of the secondary references to his collection in RefWorks, and marks them as part of the collection associated with the paper.

He also realizes they need to run some new trials. He creates a new wiki page outlining the experiment they need to run when he gets back to the lab. He saves his work and drops a note to his advisor, pointing him at the updated references, updated section three of the paper, and the note about the new trials.

Virgil mutters, "Happy the man who has been able to learn the causes of things," and goes looking for Vinny.