Athens DA Protocol
From RavenWiki
Jump to navigationJump to search
WARNING: This page is retained as a historical record but is out-of-date and is not being maintained.
This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.
As I understand it, the Shib->Athens gateway effectively uses EduServ's proprietary Athens DA protocol once you've actually authenticated. Details of the protocol are not available to the likes of us, but here are some notes on aspects of it that I have deduced.
Identifiers
The protocol apparently transfers at least the following to the content provider:
- a user name. When using the gateway, the user name is a 20-character random string starting '_'; apparently there is no guarantee that these will always be the same for the same user, but at present they are.
- a persistent unique ID. When using the gateway, this is based on the eduPersonTargetedID provided by Shib, though it's not the same
- an Organisation_Id, identifying the user's home organization
URLs
Interesting examples:
- https://auth.athensams.net/?ath_dspid=EDINA.FILMSOUND&ath_returl=%22http%3A%2F%2Fservice.filmandsound.ac.uk%2Fcgi-bin%2Ffilmandsoundlogin-sso%3Fathens_sso%3D1%26edina3%3D1%26%3D%22&x=44&y=9
- http://auth.athensams.net/?ath_action=setldom&id=XXXXXX&ath_returl=http://www.studentoptions.com/
- http://auth.athensams.net/?ath_dspid=OUP.OED&ath_returl=http%3A%2F%2Fdictionary.oed.com%2Fentrance.dtl&ath_action=daauth&id=={your_site_id}
- https://auth.athensams.net/setsite.php?id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_dspid=ATHENS.MY&ath_returl=%2Fmy
- https://auth.athensams.net/setorg.php?id=urn:mace:eduserv.org.uk:athens:provider:cam.ac.uk&ath_returl=https%3a%2f%2fwiki.csx.cam.ac.uk%2fraven%2fShibboleth
- http://auth.athensams.net/setorg.php?id=HUDDERSFIELDUNI&doLogin=1&remChk=1&ath_returl=http://www.hud.ac.uk (doLogin=1 skips institution confirmation page)
See section 3.3.4 of the AthensDA integration guide.
From: David Orrell <david.orrell@EDUSERV.ORG.UK> To: ATHENSDA@JISCMAIL.AC.UK Date: Fri, 13 Jan 2006 16:56:23 -0000 ...In fact you can now, by appending '&ath_action=daauth&id={your_site_id}' to an Athens AAP URL. Eg. To access the OED: http://auth.athensams.net/?ath_dspid=OUP.OED&ath_returl=http%3A%2F%2Fdictionary.oed.com%2Fentrance.dtl&ath_action=daauth&id=={your_site_id} This does not set the ldom cookie. If you want to set the cookie at the same time, then you can use the method John suggests.
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> To: ATHENSDA@JISCMAIL.AC.UK Date: Fri, 13 Jan 2006 15:08:44 -0000 ...the setorg page ensuring the ath_ldom cookie is set and bypassing the HDDS pages. e.g. https://auth.athensams.net/?id=[site ID]&ath_returl=[persistent link URL]
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> To: ATHENSDA@JISCMAIL.AC.UK Date: Tue, 14 Feb 2006 17:20:10 -0000 ... The new service URL format is called a target resource locator (TRL), which uses a combination of: * the URL of the Athens authentication point (AP) * a TRL identifier * a resource identifier The basic format of a TRL is therefore: https://auth.athensams.net/trl/1.0/-/RESOURCE_ID
It looks as if adding ?ath_action=noHddsSession may bypass the HDD service and so allow someone logged in via the gateway to access a particular service using their Classic Athens account:
From: Eduserv Athens Local Authentication Support <athens-la@EDUSERV.ORG.UK> To: JISC-SHIBBOLETH@JISCMAIL.AC.UK Date: Tue, 14 Feb 2006 17:20:08 -0000 Subject: Access to services not compliant with Shibboleth - Athens gateway As some of you know, Eduserv have been working on a method of allowing users at Shibboleth IdPs to use Athens-protected services that do not meet Athens implementation standards... The fix developed by Eduserv allows a user from a Shibboleth IdP to log into non-gateway compliant services with a classic Athens account. It uses a URL format called a target resource locator (TRL), which uses a combination of: * the URL of the Athens authentication point (AP) * a TRL identifier * a resource identifier * an extra parameter to pass at the Athens AP: ath_action=noHddsSession The basic format of a TRL is therefore: https://auth.athensams.net/trl/1.0/-/RESOURCE_ID?ath_action=noHddsSession A list of TRLs for non-gateway compliant services is below [...] Dialog DataStar https://auth.athensams.net/trl/1.0/-/DIALOG_DATASTAR?ath_action=noHddSession International Who's Who https://auth.athensams.net/trl/1.0/-/WORLD_WHO_WHO?ath_action=noHddSession JISC PDS https://auth.athensams.net/trl/1.0/-/PDS?ath_action=noHddSession LexisNexis Professional and Executive https://auth.athensams.net/trl/1.0/-/Lexis?ath_action=noHddSession Oxford Scholarship Online https://auth.athensams.net/trl/1.0/-/OUP_OSO?ath_action=noHddSession ProQuest https://auth.athensams.net/trl/1.0/-/PROQUEST?ath_action=noHddSession
RSS feed of available resources: https://auth.athensams.net/my/resources/rss (only available once authenticated?)
Cookies
- ath_ldom, domain .athensams.net, expires 2012: contains providerID, appears to drive the Home Domain Discovery service. It may be that this can be set with, e.g., https://auth.athensams.net/?id=[site ID]&ath_returl=[persistent link URL]