ebsco, proquest configuration?

Fri Nov 16 12:53:32 EST 2012

On 11/14/2012 08:06 PM, Don Faulkner wrote:

> Would anyone care to share details of a working ebsco or proquest configuration?

Which ProQuest platform? search.proquest.com?

> I've run into a dead end configuring attribute resolution and release for ebsco. We had it working briefly in April, but had to pull it out when it broke our google release[1]. Now, I'm trying to put it back in and not getting anywhere. I'm getting ebsco's "Error 103" message, without much indication what's wrong. i'm not getting a lot of help out of ebsco right now. I've been told that they only have tools to debug UK Shibboleth users.
> 
> We're releasing eduPersonScopedAffiliation and eduPersonEntitlement, as you can see here:
>     <afp:AttributeFilterPolicy id="ebscohost">
>         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://shibboleth.ebscohost.com" />
>         <afp:AttributeRule attributeID="eduPersonEntitlement">
>             <afp:PermitValueRule xsi:type="basic:AttributeValueString" value="urn:mace:dir:entitlement:common-lib-terms" />
>         </afp:AttributeRule>
>         <!--
>         <afp:AttributeRule attributeID="eduPersonEntitlement">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>         -->
>         <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
>             <afp:PermitValueRule xsi:type="basic:ANY" />
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>

If both eduPersonEntitlement urn:mace:dir:entitlement:common-lib-terms
and eduPersonScopedAffiliation are released you have to make sure that
the rules in EBSCOadmin cover all relevant attribute combinations. A
rule for common-lib-terms is not sufficient in this case because
EBSCOhost checks both attributes if present, and if the user has an
eduPersonScopedAffiliation but the scoped affiliation value in the rule
is empty the authorization will fail. If an attribute can contain
multiple values it usually isn't necessary to cover all combinations.
For example if the entitled users have common-lib-terms + member at scope +
(student at scope or employee at scope) one rule for common-lib-terms and
member at scope should be sufficient. My recommendation would be to release
either common-lib-terms (if that covers all entitled users) or
eduPersonScopedAffiliation (if you have to map the users to different
EBSCOhost groups depending on the affiliation), not both.

The debug link in the knowledge base entry
http://support.ebsco.com/knowledge_base/detail.php?id=3997 unfortunately
isn't working any more (I've reported the problem to EBSCO some time ago
but so far this hasn't been fixed), but at least you can check with
https://shibboleth.ebscohost.com/Shibboleth.sso/Session which attributes
and how many values the EBSCOhost SP has received. There is a special
troubleshooting link for the UK federation in the knowledge base entry
but that isn't working for me either. The EBSCO SP supports SAML2
bindings, but both the EBSCOhost WAYF page and the WAYFless URLs
currently only use SAML1, so your IdP must support SAML1 attribute
queries (or push the attributes for SAML1, too).

Best regards,
Bernd

-- 
Bernd Oberknapp
Wissenschaftlicher Leiter ReDI

Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Rempartstraße 10-16 | Postfach 1629
D-79098 Freiburg    | D-79016 Freiburg

Telefon:  +49 761 203-3852
Telefax:  +49 761 203-3967
E-Mail:   bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4821 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20121116/62d17dd1/attachment.bin 