The UC libraries authentication task force has been working for a couple of months now. We're going to first summarize the costs and benefits of an explicit pursuit of shibboleth-based authentication for the libraries (by 4/9) and then, by 6/15, describe the technical and policy implementation "paths" that could/should be taken. As part of that work we're very close to being ready to ask UCTrust principals for advice/help. At first pass we're interested in these topics:
- In order to characterize the way in which library services/applications fit into shibboleth and SSO paths it would be useful to have a brief, high-level description of the authN environment at each campus, including the underlying authN mechanism(s), the number and type of applications using SSO, and, in particular, shibboleth, and the preferred route to request that attributes be relased to additional service providers (where the services are either directly managed by the libraries or with the library as "broker" for a 3rd party or vended service, such as a library content provider). Are such descriptions, which seem to be a bit more than the InCommon "Statement of Practices" available and up to date?
- Is there any particular challenge for UC IdPs to meet the IdP components of the InCommon library "Best Practices"? Note especially the use of eduPersonEntitlement and the standard value for it: "common-lib-terms" (https://spaces.internet2.edu/display/inclibrary/Best+Practices).
- Will UCTrust remain the preferred group with whom to consult when the libraries collectively have identity management questions, or requests to take a UC-wide approach to using a new attribute or a new attribute release policy? If so, should, or how should, we formalize that consultative relationship?
– John Ober, Chair UC Libraries Shibboleth Task Force