Using the Shibboleth to Athens Gateway: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Fix 'Gateway will remain' blog entry URL)
(Access control moved to its own document)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{shib-project}}
{{shib-project}}


The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see [http://involve.jisc.ac.uk/wpmu/jam/2007/05/16/gateway-access-comments-and-clarifications/ this blog entry]. The University currently (as at 2007-05-17) has 'testing' access via the gateway, but this means that it doesn't work quite as it will once in production (see below).
The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see [http://involve.jisc.ac.uk/wpmu/jam/2007/05/16/gateway-access-comments-and-clarifications/ this blog entry].


Note that our Shibboleth IdP, on which use of the gateway depends, is itself only a pilot (as at 2007-05-17) and liable to service interruptions without notice.
==Using the gateway==
 
: '''This section of this document have been replaced by http://www.lib.cam.ac.uk/electronicresources/stepbystep.html'''


==Access Control==
==Access Control==


Use of the gateway is controlled by membership of groups and other attributes in [http://www.lookup.cam.ac.uk lookup].
: '''This section of this document have been replaced by [[Athens Gateway access control]].
 
Anyone with a 'MIS status' of 'staff' or 'student' (or both) in lookup will get access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, by default. This will be correct for the majority of students and University (but not College) staff, but can be modified by group membership as follows:
 
; [http://www.lookup.cam.ac.uk/group/100926 Shibboleth service Athens gateway overrides]
: Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set. Membership of this group will only be required to grant access to users who don't have it by default.
 
; [http://www.lookup.cam.ac.uk/group/100927 Shibboleth service medical overrides]
: Members of this group are granted access to medically-restricted material, both via the gateway (corresponding to the cam#aaemo permission set) and directly via Shibboleth.
 
; [http://www.lookup.cam.ac.uk/group/100925 Shibboleth service Athens gateway blacklist]
: Members of this group are administratively prohibited from accessing any resources via the Shibboleth to Athens gateway. This group is provided to implement short-term blocks in response to misuse, etc. This prohibition applies both to members of the two groups above and to anyone receiving access by default.
 
Membership of these three lists and other details about them are managed by the members of a fourth group, [http://www.lookup.cam.ac.uk/group/100924 Shibboleth service lookup group managers]. Members of this group can go to the 'Members' tab of any of these four lists and from there add or remove members. They can also edit other details of the four groups (such as title, access controls, etc.) but in general should avoid doing so.
 
Members of a fifth group, [http://www.lookup.cam.ac.uk/group/100947 Shibboleth service lookup group readers] have read access to the membership lists of the other groups, but are n ot permitted to modify them.
 
Once you have authenticated to the gateway it caches the permission set(s) that were allocated to you for up to 8 hours. As a result, changes to group membership don't immediately affect access control decisions even if you quit your browser and restart.
 
==Using the Gateway==
 
Once in production it will (if I've got this right) be possible to use the gateway to access any Athens-protected resource (such as [http://auth.athensams.net/my/ MyAthens]) by navigating to the resource, following links to log in via Athens, selecting an [[Media:Athens-login.png | 'Alternate login']] (or similar) link, and choosing 'University of Cambridge' from [[Media:Athens-alternate-login.png | the resulting dialogue]] (the 'Athens Home Domain Discovery Service', HDDS). This will take you to our Raven/Shibboleth service where you will identify yourself, 'log you in' to Athens,  and then take you back to the resource you wanted.
 
However, since we are still in testing, doing this at the moment (2006-05) just throws up a box containing contact details. If you want to see what this will eventually look like, pretend you are from Cardiff - you'll be able to follow the sequence up to the point that Cardiff's equivalent to Raven asks for a user name and password.
 
For the time being, you should follow this link
https://auth.athensams.net/setsite.php?id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_dspid=ATHENS.MY&ath_returl=%2Fmy
 
which will do exactly what selecting 'University of Cambridge' while trying to get to MyAthens will eventually do - [[Media:Athens-setsite-confirm.png | confirm you want Cambridge]], log you in to Athens and send you to MyAthens. Similar URL's could be constructed for any Athens service (MyAthens is just an example) by replacing the ath_dspid and/or ath_returl parameters with other values but doing so probably isn't important since this is all largely an artefact of the current 'testing' status of our gateway access.
 
Because you are 'logged in' to Athens you will be able to access further Athens resources directly during this browser session without further authentication. You will also now have a long term cookie (ath_ldom) which will cause your browser to automatically use the Cambridge shibboleth service by default for all future Athens authentication.
 
<div id="back">Alternatively you can follow this link</div>
https://auth.athensams.net/setorg.php?id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_returl=https%3a%2f%2fwiki.csx.cam.ac.uk%2fraven%2fUsing_the_Shibboleth_to_Athens_Gateway#back
 
which will just set the ath_ldom cookie if necessary and bring you back here. Subsequent attempts to access Athens resources will automatically be routed to Cambridge via the gateway, just as if you had previously accessed something like MyAthens as described above.
 
Having done all this, if you want to stop using the gateway and go back to using 'Classic Athens' then either delete the ath_ldom cookie set by the host auth.athensams.net, or select the 'I am not from Cambridge University Library' (sic.) link that is [[Media:Athens-login-continue.png | displayed]] before referring you to Cambridge.
 
This use of ath_ldom means that it's difficult to use gateway access and 'Classic Athens' during the same browser session. This will still happen once our use of the gateway is in production mode - once you have accessed any Athens resource via the gateway all your subsequent accesses during that session will automatically use the gateway. Apparently it is possible to use target resource locator (TRL) (see [[Athens DA Protocol]]) to construct special links which will will bypass the HDDS, allowing selected resources to be accessed by Classic Athens even when everything else is using the Gateway.
 
Note that, since many of our Athens-protected resources are available by IP address from within the University, it can be difficult to easily distinguish between access granted by address and access granted via the gateway when working from computers on the University network. Access to an external connection, e.g. NTL broadband, makes life easier.


==Issues==
==Issues==

Latest revision as of 12:47, 8 October 2007

ShibbolethLogoColorSmall.png
WARNING: This page is retained as a historical record but is out-of-date and is not being maintained.

This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.

The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see this blog entry.

Using the gateway

This section of this document have been replaced by http://www.lib.cam.ac.uk/electronicresources/stepbystep.html

Access Control

This section of this document have been replaced by Athens Gateway access control.

Issues

1. For sites that support customisation and the like, note that your identity as established via the gateway is different to your identity established via 'Classic Athens' - you are in effect two different people.

2. Some sites are known not to work via the gateway. There a list at http://www.athensams.net/allresources/nongatewayresources.aspx

Westlaw is one - the error message displayed (Description: Error getting sponsor based on prefix for: _wplsf6omk2rfw7lfveb - No Athens prefix found in DB.) confirms that they are still relying on the outdated practice of checking Athens ID prefixes to identify home institution, a practice that it incompatible with the gateway.

Of the other titles listed, a number are not Cambridge UL subscriptions. The most significant titles on the list are LexisNexis Professional, which is likely to be replaced this year and not in any case currently Athens protected, and the Routledge Encyclopedia of Philosophy.

3. Even once in production, anyone navigating to a supplier site and choosing to authenticate via Athens will see big 'Username' and 'Password' boxes, as well as a small 'Alternate login' link. It will be a documentation/training challenge to convince them to follow the alternate login link and NOT to put their Raven userid and password into the boxes provided which won't work and which will compromise the security of their Raven account.

4. The gateway effectively 'creates' an Athens ID for everyone who uses it. This is a meaningless, 20 character string starting with an underscore that users will not in general recognise. Unfortunately some sites think it's a good idea to use it like a name e.g. Adept Scientific: "Special prices for _wplsf6omk2rfw7lfveb. As a member of Cambridge University Library you are eligible for...".

5. The fact that the gateway caches things like permission sets means that if someone tries and fails to gain access then, even after we add them to the relevant group, there is going to be a delay before they can access the resource that want.

6. What happens when someone not authorised to use the gateway tries to access resources through it will probably be confusing. They won't immediately be refused access, but if they accesses a resource directly and goes through the required discovery process, they are going to see an error at either the EduServ AP or from the resource provider telling them something along the lines of "You are logged into Athens but you do not have access to this resource" [example]. If they login to MyAthens they will be able to login but there will be no resources listed for them to login to [example].

7. Gateway (or AthensDA) doesn't work for Z39.50 (e.g. to Zetoc) and requires some sort of work-around for CrossFire via the CrossFire Commander client (see Sean Dunne <Sean.Dunne@MANCHESTER.AC.UK> to ATHENSDA@JISCMAIL.AC.UK, Fri, 26 Aug 2005. CrossFire users in the university have access through DiscoveryGate so this is not significant.