on-premise-network

Attribute Definition

Contracts covering access to licensed electronic resources may contain language to the effect that access should be permitted to subject physically present in the "library" or on the "campus" or "company" IP network – either in addititon to or as an alternative access method to federated access control. To enable the Service Provider (SP) to determine whether someone accessing their service is on the campus/company network of a given customer (institution) it is usually provided with a list of IP address ranges in some manual, out-of-band process.

This document specifies an attribute that can be used instead of such manual processes by transferring the list of "on-premise" IP network ranges "in-band" as part of each individual's login process. The SP may then dynamically determine whether the current IP address of a subject accessing a given resource is contained within the currently provided list of IP network ranges.

Attribute Name

The formal name of this attribute is urn:mace:aco.net:attrs:on-premise-network

Attribute Values

Values of this attribute each specify an IP address range of publicly routed IP addresses in CIDR notation that the asserting party considers to be "on premise".

IP ranges of private network addresses or ULA MUST NOT be included.

IP addresses of VPN or proxy servers allowing access to the on-premise network from outside the premises MUST NOT be included.

Known Issues

• Repeatedly transferring data that does not change very often (such as an institution's IP network ranges)  is not very efficient.
• Transfer of very large lists of IP network ranges may cause delays or other issues during login.