Using the Shibboleth to Athens Gateway

WARNING: This page is retained as a historical record but is out-of-date and is not being maintained.

This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.

The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see this blog entry.

Using the gateway

This section of this document have been replaced by http://www.lib.cam.ac.uk/electronicresources/stepbystep.html

Access Control

This section of this document have been replaced by Athens Gateway access control.

Issues

1. For sites that support customisation and the like, note that your identity as established via the gateway is different to your identity established via 'Classic Athens' - you are in effect two different people.

2. Some sites are known not to work via the gateway. There a list at http://www.athensams.net/allresources/nongatewayresources.aspx

Westlaw is one - the error message displayed (Description: Error getting sponsor based on prefix for: _wplsf6omk2rfw7lfveb - No Athens prefix found in DB.) confirms that they are still relying on the outdated practice of checking Athens ID prefixes to identify home institution, a practice that it incompatible with the gateway.

Of the other titles listed, a number are not Cambridge UL subscriptions. The most significant titles on the list are LexisNexis Professional, which is likely to be replaced this year and not in any case currently Athens protected, and the Routledge Encyclopedia of Philosophy.

3. Even once in production, anyone navigating to a supplier site and choosing to authenticate via Athens will see big 'Username' and 'Password' boxes, as well as a small 'Alternate login' link. It will be a documentation/training challenge to convince them to follow the alternate login link and NOT to put their Raven userid and password into the boxes provided which won't work and which will compromise the security of their Raven account.

4. The gateway effectively 'creates' an Athens ID for everyone who uses it. This is a meaningless, 20 character string starting with an underscore that users will not in general recognise. Unfortunately some sites think it's a good idea to use it like a name e.g. Adept Scientific: "Special prices for _wplsf6omk2rfw7lfveb. As a member of Cambridge University Library you are eligible for...".

5. The fact that the gateway caches things like permission sets means that if someone tries and fails to gain access then, even after we add them to the relevant group, there is going to be a delay before they can access the resource that want.

6. What happens when someone not authorised to use the gateway tries to access resources through it will probably be confusing. They won't immediately be refused access, but if they accesses a resource directly and goes through the required discovery process, they are going to see an error at either the EduServ AP or from the resource provider telling them something along the lines of "You are logged into Athens but you do not have access to this resource" [example]. If they login to MyAthens they will be able to login but there will be no resources listed for them to login to [example].

7. Gateway (or AthensDA) doesn't work for Z39.50 (e.g. to Zetoc) and requires some sort of work-around for CrossFire via the CrossFire Commander client (see Sean Dunne <Sean.Dunne@MANCHESTER.AC.UK> to ATHENSDA@JISCMAIL.AC.UK, Fri, 26 Aug 2005. CrossFire users in the university have access through DiscoveryGate so this is not significant.