Versions Compared

Old Version 9

changes.mady.by.user David Kennedy

Saved on

compared with

New Version 10

changes.mady.by.user Andy Ingham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In order for resource providers to make authorizations authorization decisions based on this entitlement attribute using the Shibboleth technology and according to the Best Practices, the institution's Shibboleth identity provider must be configured to release this attribute.  This step must be performed by the administrator of the institution's identity provider.  The identity provider is typically not administered by the library, rather, it is usually maintained by the central IT office for the institution.

...

The shibuser.txt configuration file is where EZproxy can be configured to make authorization decisions based on a user's attributes.  There are two types of configurations that are useful to understand.  The first is the ability to deny access to all databases based on a user's attributes.  The second is to selectively allow users to access certain databases based on specific user attributes (exe.g., nursing student's access to journal x).

...

Step 4: EZproxy to enable Shibboleth access to resource providers

Wiki Markup
The last step in the integration of Shibboleth and EZproxy is to configure EZproxy to be aware of resources that are Shib-enabled.
  
  For these Shib-enabled resources, EZproxy can be configured to hand off to Shibboleth for authentication and authorization, rather than proxy the user's entire session.
  
  One of the main benefits to this approach is to lower the amount of traffic that is proxied through ezproxy, which usually results in better performance and end user experience.
  
  Another main benefit is that it allows, through Shibboleth, for resource providers to create personalized services for users in their interfaces, while maintaining the user's privacy and seamless experience. \[Note, however, that to integrate that level of personalization, the IdP will need to be configured to release a personally identifiable attribute instead of the generic eduPersonEntitlement.  Refer to [Best Practice #1|https://spaces.at.internet2.edu/display/inclibrary/Best+Practices]for more information.\]

This step must be performed for each resource for which you wish to enable Shibboleth access.  The Registry of Resources (https://spaces.at.internet2.edu/display/inclibrary/RegistryOfResources) has been created to help facilitate this step.  In order to set up Shibboleth access to a resource through EZproxy, the resource provider should adhere to the Best Practices.  The Registry of Resources provides all of the details for each resource in terms of which resources adhere to the Best Practices, where to go for help, and sample configurations.  The text below explains how to use the Registry to enable Shibboleth access through EZproxy.

...