This page is intended to provide best practices for InCommon participants. These best practices are all geared towards library resource providers and libraries.
Resource Providers
Resource providers deal with a variety of authentication challenges and often have to support several authentication schemes simultaneously. Shibboleth is just one of those schemes. These best practices should serve as a guideline for resource providers that are implementing Shibboleth. These best practices have been written by InCommon member institutions that have experience integrating Shibboleth as an authentication option for library resources.
If all of these best practices are followed, libraries will be able to maintain the seamless access they can currently provide with IP-based authentication, and also have the groundwork laid for future developments such as personalized services. As there are many resource providers and all have different platforms and services, there is no expectation that all will be able to implement these best practices immediately. So, these best practices are laid out as building blocks or steps in the implementation path. These steps are listed below and then each is further defined below.
- Implement WAYFless URLs.
- Implement authenticated direct links to resources.
- Shibboleth/EZproxy hybrid compliance
- Authorization via eduPerson attributes
Step 1: Implement WAYFless URLs
Simon McLeish coined the term WAYFless URL, and there is plenty of discussion of the term and its meaning on his wiki. In brief, WAYFless URLs are urls to resources that allow for bypassing the Shibboleth Where Are You From (WAYF) step. For our purposes, this means providing a URL syntax such that a resource URL could be cleverly crafted to navigate the user through the authentication/SSO process without prompting the user to identify their institution.