You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This page is intended to provide best practices for InCommon participants.  These best practices are all geared towards library resource providers and libraries.

Resource Providers

Resource providers deal with a variety of authentication challenges and often have to support several authentication schemes simultaneously.  Shibboleth is just one of those schemes.  These best practices should serve as a guideline for resource providers that are implementing Shibboleth.  These best practices have been written by InCommon member institutions that have experience integrating Shibboleth as an authentication option for library resources.

If all of these best practices are followed, libraries will be able to maintain the seamless access they can currently provide with IP-based authentication, and also have the groundwork laid for future developments such as personalized services.  As there are many resource providers and all have different platforms and services, there is no expectation that all will be able to implement these best practices immediately.  So, these best practices are laid out as building blocks or steps in the implementation path.  These steps are listed below and then each is further defined below.

  1. Implement WAYFless URLs.
  2. Implement authenticated direct links to resources.
  3. Shibboleth/EZproxy hybrid compliance
  4. Authorization via eduPerson attributes

Step 1: Implement WAYFless URLs

Simon McLeish coined the term WAYFless URL, and there is plenty of discussion of the term and its meaning on his wiki.  In brief, WAYFless URLs are urls to resources that allow for bypassing the Shibboleth Where Are You From (WAYF) step.  For our purposes, this means providing a URL syntax such that a resource URL could be cleverly crafted to navigate the user through the authentication/SSO process without prompting the user to identify their institution.

There are two acceptable forms of WAYFless URLs.  The first is Session Initiators implemented by the resource provider.  The second is a SSO location provided by the identity provider.  Each of these is described below, along with some indication of what is required to implement each by the resource provider.

Session Initiators

Session Initiators are URLs that exist on the resource provider site, that can accept two parameters, a resource location and an identity provider's entityID, and properly direct the user through the appropriate identity provider for authn and then on to the resource location, without requiring the user to identify where they are from.  The syntax of a session initiator URL is as follows:

http://resource-provider-site/session-initiator-url?entityID=IDENTITY-PROVIDER-ENTITYID&target=RESOURCE-URL

With session initiators, the library creating WAYFless URLs would need only know the location of the session initiator URL, their own campus' identity provider entityID, and the URL of the resource they are trying to link to.  JSTOR is an example of a resource provider that has implemented Session Initiators:

http://www.jstor.org/start-session?entityID=provider-uri&target=target-url

Libraries

  • No labels