Shibboleth Developers

["Josh Howlett" <>]

Both of these approaches require prior knowledge, on behalf of either
the IdP or SP, of their respective constituencies' destinations or
origins.

These are useful optimisations, to be sure, but I don't personally
believe that they will scale in deployments where destinations and
origins are numerous and unpredictable. I suppose whether you care about
this depends on the scope of your ambitions.

josh.

> -----Original Message-----
> From: Spencer W. Thomas 
> [mailto:]
>  
> Sent: 27 September 2007 20:08
> To: 
> 
> Subject: Re: wrt user entry of a pointer to their IDP ..or.. 
> "invisible SSO"
> 
> Josh Howlett wrote:
> > I have been told by colleagues in the schools sector that some 
> > categories of user, such as young children, simply aren't 
> capable of 
> > selecting 'their' IdP. Whether the selection UI is located 
> at the SP 
> > or some other WAYF (or indeed as a piece of browser chrome) is moot.
> >   
> Right.  So for them, you provide a portal.  The portal has a 
> link to a session initiator at the service provider.  The 
> session initiator tells the SP which IdP to use, so no WAYF 
> ever need be involved. 
> 
> Example:
> 
> https://www.jstor.org/start-session?providerId=urn:mace:incomm
on:osu.edu
> 
> Will send you straight to Ohio State's login screen.  Once 
> you've authenticated, you come back and are looking at 
> JSTOR's search form.
> > Even for adult users, the answer to the question "which IdP are you 
> > affiliated with" is not always obvious; for example, there 
> are cases 
> > concerning multiple affiliations and the correct answer 
> depends on the 
> > user knowing which IdP has the relevant relationship with 
> the SP for 
> > the resource in question.
> I can see that could be a problem.  We display only those 
> IdPs associated with institutions that are (a) participating 
> in JSTOR and (b) have told us they are ready to use 
> Shibboleth with JSTOR (and (c) tested such access.)  In that 
> case, the user need only find (at least) one of their IdPs in 
> our list.
> > It gets worse when we ask the question "which federation is 
> your IdP 
> > affiliated with" because the user has no concept of federation.
> >   
> Right, which is why our WAYF 
> (https://www.jstor.org/wayf/WAYF) organizes IdPs 
> geographically.  We can do that because we're displaying only 
> those institutions with which we have negotiated Shibboleth 
> (or Athens) access, and we have recorded in our database 
> "the" country for each institution.
> 
> --
> --------------------------------------------------------------
> ----------
> Spencer Thomas
> Operations Supervisor, JSTOR
> 
>  
> <mailto:>
> +1-734-998-9104
> 
> JSTOR is a not-for-profit organization helping the scholarly community
> take advantage of advances in technology. Our initial effort 
> -- building
> trusted digital archives for scholarship -- provides for the long-term
> preservation and access of leading academic journals and scholarly
> literature from around the world. Our work is supported by libraries,
> scholarly societies, publishers, and foundations.
> 
> --------------------------------------------------------------
> ----------
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG