Using the Shibboleth to Athens Gateway: Difference between revisions
(Fix 'Gateway will remain' blog entry URL) |
(Revise to match new, production status of the gateway) |
||
Line 1: | Line 1: | ||
{{shib-project}} | {{shib-project}} | ||
The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see [http://involve.jisc.ac.uk/wpmu/jam/2007/05/16/gateway-access-comments-and-clarifications/ this blog entry] | The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see [http://involve.jisc.ac.uk/wpmu/jam/2007/05/16/gateway-access-comments-and-clarifications/ this blog entry]. | ||
==Using the gateway== | |||
===First time through on any particular browser=== | |||
* Go to an Athens-protected resource and follow the link(s) to the normal Athens login page. | |||
* '''DON'T TYPE YOUR RAVEN USERID/PASSWORD INTO THE USERNAME AND PASSWORD BOXES PRESENTED''' - this won't work and will only disclose your Raven ID and password to EduServ. | |||
* Find and follow the 'Alternative login' link. | |||
* On the resulting page, find a link to 'University of Cambridge' (either by searching or navigating the tree) and follow it. | |||
* Notice the 'Remember this organisation on this computer' box on he next page and see below; select 'Go >>' to "Go to the University of Cambridge login page" after which you should see a Raven login page and you can follow your nose. | |||
All this will appear to work even if you are not entitled to use Athens resources until you have completed the entire process and been sent back to the resource, at which point you'll get a (probably unintelligible) error message if you've been denied access. | |||
First-time users should know that they may have to get past a rather embarrassing number of 'click-through' acceptance screens. The worst case, for someone who has never even used Raven before, is | |||
* A prompt to accept the UCS rules, displayed by us | |||
* A prompt to accept the Raven/Shib service Ts&Cs, displayed by us | |||
* A prompt to accept the release of personal data the the Eduserv Gateway, displayed by us | |||
* A prompt to accept the Athens Ts&Cs, displayed by EduServ | |||
* [Optionally] A prompt to accept the resource's Ts&Cs, displayed by the resource | |||
Most of these they will never see again, or only fairly, but the full sequence is a bit intimidating. | |||
===Accessing further Athens resources during the same browser session=== | |||
* Go to an Athens-protected resource and follow the link(s) to the normal Athens login page. You should get access immediately if you are entitled. | |||
===Subsequent use of a browser after restarting it=== | |||
* Go to an Athens-protected resource and follow the link(s) to the normal Athens login page. | |||
What happens next depends on what you did with the 'Remember this organisation on this computer' box last time. If you un-selected it (which isn't the default) you see the same sequence as above. But if you didn't: | |||
* You immediately see a link offering to "Take me to the University of Cambridge login page" which you can select and follow your nose as before. | |||
* If however you wanted to login with 'classic' Athens (perhaps because this is a shared computer and you are still using your old Athens account) then select "I want to login with an alternative account" and you will see the normal Athens login screen. | |||
You can also select "I am not from University of Cambridge" which will also take you the normal Athens login screen but will also clear the cookie that records that you are from Cambridge and want to use the gateway, so after a restart the browser will go back to working as it did the first time. | |||
==Access Control== | ==Access Control== | ||
Line 25: | Line 60: | ||
Once you have authenticated to the gateway it caches the permission set(s) that were allocated to you for up to 8 hours. As a result, changes to group membership don't immediately affect access control decisions even if you quit your browser and restart. | Once you have authenticated to the gateway it caches the permission set(s) that were allocated to you for up to 8 hours. As a result, changes to group membership don't immediately affect access control decisions even if you quit your browser and restart. | ||
==Issues== | ==Issues== |
Revision as of 17:07, 12 September 2007
This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.
The Shibboleth to Athens gateway allows people to authenticate using Shibboleth and then gain access to resources that are protected by Athens. The gateway is run under contract for JISC by EduServ - it appears that use of the gateway will be available at no cost to us until at least July 2011 - see this blog entry.
Using the gateway
First time through on any particular browser
- Go to an Athens-protected resource and follow the link(s) to the normal Athens login page.
- DON'T TYPE YOUR RAVEN USERID/PASSWORD INTO THE USERNAME AND PASSWORD BOXES PRESENTED - this won't work and will only disclose your Raven ID and password to EduServ.
- Find and follow the 'Alternative login' link.
- On the resulting page, find a link to 'University of Cambridge' (either by searching or navigating the tree) and follow it.
- Notice the 'Remember this organisation on this computer' box on he next page and see below; select 'Go >>' to "Go to the University of Cambridge login page" after which you should see a Raven login page and you can follow your nose.
All this will appear to work even if you are not entitled to use Athens resources until you have completed the entire process and been sent back to the resource, at which point you'll get a (probably unintelligible) error message if you've been denied access.
First-time users should know that they may have to get past a rather embarrassing number of 'click-through' acceptance screens. The worst case, for someone who has never even used Raven before, is
- A prompt to accept the UCS rules, displayed by us
- A prompt to accept the Raven/Shib service Ts&Cs, displayed by us
- A prompt to accept the release of personal data the the Eduserv Gateway, displayed by us
- A prompt to accept the Athens Ts&Cs, displayed by EduServ
- [Optionally] A prompt to accept the resource's Ts&Cs, displayed by the resource
Most of these they will never see again, or only fairly, but the full sequence is a bit intimidating.
Accessing further Athens resources during the same browser session
- Go to an Athens-protected resource and follow the link(s) to the normal Athens login page. You should get access immediately if you are entitled.
Subsequent use of a browser after restarting it
- Go to an Athens-protected resource and follow the link(s) to the normal Athens login page.
What happens next depends on what you did with the 'Remember this organisation on this computer' box last time. If you un-selected it (which isn't the default) you see the same sequence as above. But if you didn't:
- You immediately see a link offering to "Take me to the University of Cambridge login page" which you can select and follow your nose as before.
- If however you wanted to login with 'classic' Athens (perhaps because this is a shared computer and you are still using your old Athens account) then select "I want to login with an alternative account" and you will see the normal Athens login screen.
You can also select "I am not from University of Cambridge" which will also take you the normal Athens login screen but will also clear the cookie that records that you are from Cambridge and want to use the gateway, so after a restart the browser will go back to working as it did the first time.
Access Control
Use of the gateway is controlled by membership of groups and other attributes in lookup.
Anyone with a 'MIS status' of 'staff' or 'student' (or both) in lookup will get access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, by default. This will be correct for the majority of students and University (but not College) staff, but can be modified by group membership as follows:
- Shibboleth service Athens gateway overrides
- Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set. Membership of this group will only be required to grant access to users who don't have it by default.
- Shibboleth service medical overrides
- Members of this group are granted access to medically-restricted material, both via the gateway (corresponding to the cam#aaemo permission set) and directly via Shibboleth.
- Shibboleth service Athens gateway blacklist
- Members of this group are administratively prohibited from accessing any resources via the Shibboleth to Athens gateway. This group is provided to implement short-term blocks in response to misuse, etc. This prohibition applies both to members of the two groups above and to anyone receiving access by default.
Membership of these three lists and other details about them are managed by the members of a fourth group, Shibboleth service lookup group managers. Members of this group can go to the 'Members' tab of any of these four lists and from there add or remove members. They can also edit other details of the four groups (such as title, access controls, etc.) but in general should avoid doing so.
Members of a fifth group, Shibboleth service lookup group readers have read access to the membership lists of the other groups, but are n ot permitted to modify them.
Once you have authenticated to the gateway it caches the permission set(s) that were allocated to you for up to 8 hours. As a result, changes to group membership don't immediately affect access control decisions even if you quit your browser and restart.
Issues
1. For sites that support customisation and the like, note that your identity as established via the gateway is different to your identity established via 'Classic Athens' - you are in effect two different people.
2. Some sites are known not to work via the gateway. There a list at http://www.athensams.net/allresources/nongatewayresources.aspx
- Westlaw is one - the error message displayed (Description: Error getting sponsor based on prefix for: _wplsf6omk2rfw7lfveb - No Athens prefix found in DB.) confirms that they are still relying on the outdated practice of checking Athens ID prefixes to identify home institution, a practice that it incompatible with the gateway.
Of the other titles listed, a number are not Cambridge UL subscriptions. The most significant titles on the list are LexisNexis Professional, which is likely to be replaced this year and not in any case currently Athens protected, and the Routledge Encyclopedia of Philosophy.
3. Even once in production, anyone navigating to a supplier site and choosing to authenticate via Athens will see big 'Username' and 'Password' boxes, as well as a small 'Alternate login' link. It will be a documentation/training challenge to convince them to follow the alternate login link and NOT to put their Raven userid and password into the boxes provided which won't work and which will compromise the security of their Raven account.
4. The gateway effectively 'creates' an Athens ID for everyone who uses it. This is a meaningless, 20 character string starting with an underscore that users will not in general recognise. Unfortunately some sites think it's a good idea to use it like a name e.g. Adept Scientific: "Special prices for _wplsf6omk2rfw7lfveb. As a member of Cambridge University Library you are eligible for...".
5. The fact that the gateway caches things like permission sets means that if someone tries and fails to gain access then, even after we add them to the relevant group, there is going to be a delay before they can access the resource that want.
6. What happens when someone not authorised to use the gateway tries to access resources through it will probably be confusing. They won't immediately be refused access, but if they accesses a resource directly and goes through the required discovery process, they are going to see an error at either the EduServ AP or from the resource provider telling them something along the lines of "You are logged into Athens but you do not have access to this resource" [example]. If they login to MyAthens they will be able to login but there will be no resources listed for them to login to [example].
7. Gateway (or AthensDA) doesn't work for Z39.50 (e.g. to Zetoc) and requires some sort of work-around for CrossFire via the CrossFire Commander client (see Sean Dunne <Sean.Dunne@MANCHESTER.AC.UK> to ATHENSDA@JISCMAIL.AC.UK, Fri, 26 Aug 2005. CrossFire users in the university have access through DiscoveryGate so this is not significant.