Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: sort genios SPs together

...

Note
iconfalse

The service provider needs to actually check for those attributes and deny access if the agreed-upon attribute value has not been provided in the response. There is no other way for an institution to signal whether an individual should be entitled to a resource or not. Authentication at an academic institution does not mean the subject is necessarily authorized to access licensed resources on behalf of that institution.

The eduPerson specification has defined the generic attribute eduPersonEntitlement to communicate entitlements, permissions or rights between entities. For the specific case of library services MACE-Dir has then defined a standard eduPersonEntitlement attribute value (see below for details). This is the only attribute (other than maybe a unique identifier) library services will generally need, as such no more data should be sent from the Identity Provider:

common-lib-terms Entitlement

Here's the current common-lib-terms specification.

"Friendly" attribute nameFormal SAML2 attribute name (on-the-wire)Attribute value string
eduPersonEntitlementurn:oid:1.3.6.1.4.1.5923.1.1.1.7urn:mace:dir:entitlement:common-lib-terms

The NameFormat (what format is the formal attribute name in) is always "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".  For legacy services still using the SAML1.x protocol the formal attribute name is "urn:mace:dir:attribute-def:eduPersonEntitlement" (instead of urn:oid:1.3.6.1.4.1.5923.1.1.1.7). See https://eduid.at/entities/sp and "mouse-over" the requested attribute's name to find out its formal name for a given service, if in doubt.

...

Define the attribute

See our IDP 3 4 Attribute resolution documentation for a simple example of how to generate and assign the common-lib-terms entitlement based on eduPersonAffiliation values.

...

Code Block
languagehtml/xml
titleRelease eduPersonEntitlement by enumerating SPs
<AttributeFilterPolicy id="CommonLibTerms">
    <PolicyRequirementRule xsi:type="OR">
        <Rule xsi:type="Requester" value="https://test-sp.aco.net/shibboleth" />
        <Rule xsi:type="Requester" value="https://ieeexplore.ieee.org/shibboleth-sp" />
        <Rule xsi:type="Requester" value="http://shibboleth.ebscohost.com" />
        <Rule xsi:type="Requester" value="https://sp.tshhosting.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://www.content-select.com/simplesaml/module.php/saml/sp/metadata.php/preselect.media-sp" />
        <Rule xsi:type="Requester" value="https://sdauth.sciencedirect.com/" />
        <Rule xsi:type="Requester" value="https://www.tandfonline.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://fsso.springer.com" />
        <Rule xsi:type="Requester" value="https://secure.nature.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://shibboleth.genios.de/shibboleth" />
        <Rule xsi:type="Requester" value="https://shibboleth-faz.genios.de/shibboleth" /> 
        <Rule xsi:type="Requester" value="https://shibboleth.statista.com" />
        <Rule xsi:type="Requester" value="https://www.hanser-elibrary.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://shibboleth.ovid.com/entity" />
        <Rule xsi:type="Requester" value="https://prd.thieme.de/shibboleth-sp" />
        <Rule xsi:type="Requester" value="https://www.beck-elibrary.de/Shibboleth.sso" />
        <Rule xsi:type="Requester" value="https://www.nomos-elibrary.de/Shibboleth.sso" />
        <Rule xsi:type="Requester" value="https://iam.atypon.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://portal.zedhia.at/saml" />
        <Rule xsi:type="Requester" value="https://sp.eblib.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://login.intelliconnect.inta.cch.com/" />
        <Rule xsi:type="Requester" value="https://shibbolethsp.jstor.org/shibboleth" />
        <Rule xsi:type="Requester" value="https://shibboleth-sp.prod.proquest.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://elibrary.verlagoesterreich.at" />
    </PolicyRequirementRule>
    <AttributeRule attributeID="eduPersonEntitlement">
        <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
    </AttributeRule>
</AttributeFilterPolicy>

...

Code Block
languagehtml/xml
titleRelease eduPersonScopedAffiliation by enumerating SPs that don't support entitlements
<AttributeFilterPolicy id="LibrarySPsScopedAffiliation">
    <PolicyRequirementRule xsi:type="OR">
        <Rule xsi:type="Requester" value="https://shibboleth.cambridge.org/shibboleth-sp" />
        <Rule xsi:type="Requester" value="https://shibboleth.highwire.org/entity/secure-sp" />
        <Rule xsi:type="Requester" value="https://secure.nature.com/shibboleth" />
        <Rule xsi:type="Requester" value="https://ticket.iop.org/shibboleth" />
        <Rule xsi:type="Requester" value="https://shib.rsc.org/shibboleth" />
        <Rule xsi:type="Requester" value="https://sp.emerald.com/sp" />
        <Rule xsi:type="Requester" value="https://cas.manz.at/shibboleth" />
        <Rule xsi:type="Requester" value="https://lindedigital.at/shibboleth" />
        <Rule xsi:type="Requester" value="https://shib.lexisnexis.com" />
        <Rule xsi:type="Requester" value="https://signin.lexisnexis.com/lnaccess/fed/authn" />
        <Rule xsi:type="Requester" value="https://www.utb-studi-e-book.de/websso/metadata" />
        <Rule xsi:type="Requester" value="https://elibrary.hogrefe.de" />
        <Rule xsi:type="Requester" value="https://sp.ebrary.com/shibboleth" />
  </PolicyRequirementRule>
    <AttributeRule attributeID="eduPersonScopedAffiliation">
        <PermitValueRule xsi:type="OR">
            <Rule xsi:type="Value" value="student"  ignoreCase="true" />
            <Rule xsi:type="Value" value="staff"    ignoreCase="true" />
            <Rule xsi:type="Value" value="faculty"  ignoreCase="true" />
            <Rule xsi:type="Value" value="employee" ignoreCase="true" />
            <Rule xsi:type="Value" value="member"   ignoreCase="true" />
            <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
        </PermitValueRule>
    </AttributeRule>
</AttributeFilterPolicy>

Better approaches

Clearly having Having a Service Category defined for Library Services would might help managing the release policies in a more consistent and less implementation-specific way. Discussion about that is currently ongoing and and proposals for that sometimes appear and ACOnet is actively contributing to further developments in that space. As always, please discuss and share examples with the community.

...