jes59 at cornell.edu
Fri Aug 10 09:16:02 EDT 2018
Someone in our library asked me about this issue -- I couldn't really think of a good solution, so thought I'd ask around and see if anyone else had come up with anything. (I haven't looked into it very much - my apologies if I'm asking a stupid question.)
We have a use case where members of the public (i.e. unaffiliated folks without accounts) should be able to make use of our library services when they come on campus. This has (over the past several years) come to include access to e.g. online journals. I think that we're currently accomplishing this by a sort of IP whitelist where the online journal vendor doesn't prompt for authentication when requests come in from our library's network.
I guess that some of the vendors are trying to move away from doing this kind of thing, to e.g. SAML authentication for everybody.
I remember noticing the "library-walk-in" value in the eduPersonAffiliation spec (maybe: https://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html#eduPersonAffiliation ). So it seems like somebody has put some thought into this use case in the past.
But I can't imagine how to implement something like that?
The best thing I can picture is that maybe we could somehow configure our IdP such that when users log in from certain IPs on a list of library terminals, to certain SPs on a list of online library services, we don't even ask them to log in, but instead just send over a minimal assertion with e.g. a transient nameId and a eduPersonAffiliation:library-walk-in, and that's it. But the rest of the transactions (from non-library IPs or to non-library SPs) continue go through the normal login page process and get a more verbose assertion. I don't even know if it's possible to implement that?
I guess that I think the best solution is to keep the IP whitelist so that nobody on campus is asked to log in when they access these online library resources, and use the SAML authentication for off-campus access. This is basically what we're doing now, so we wouldn't change anything. But I sort of got the impression from my conversation that this option may be at risk of disappearing. (I didn't look into it very much.)
What do you think? Is there a standard or good approach to this issue?
More information about the users