...

[DRAFT

...

]

...

[DRAFT

...

]

...

[DRAFT

...

]

...

[DRAFT

...

]

Is this document for ME?

It is if you are a staff member at an academic institution (that uses EZProxy) who wishes to begin implementing Shibboleth access to library resources, but are unsure about what is required and what is involved.

...

The ability to deny access to all databases based on a user's attributes will be explained by way of example.  EZproxy can be configured to deny access to all users that do not have the common-lib-terms entitlement.  And these users can be directed to a particular error page if desired.  Below is the configuration command that can be added to shibuser.txt in order to enforce this policy:

If !(auth:urn:mace:dir:attribute-def:eduPersonEntitlement eq "urn:mace:dir:entitlement:common-lib-terms"); 
  Deny unaffiliated.html

The ability to allow selective access to databases based on user's attributes is done using EZproxy's Group directives.  This works by mapping users to groups based on their attributes and defining databases as assigned to groups as well.  When a user attempts to access a database through EZproxy, they must be a member of the group that the database is assigned to.

Again, explanation by way of example.  Let's say that there exists a journal, Nursing Weekly, and the institution has contracted for access to this journal for its nursing department only.  And let's also say that departments are represented at this institution by the user attribute, eduPersonOrgUnitDN, and the Nursing department value for that attribute is 'Nursing'.  In order to enforce the policy, EZproxy is configured such that users from the nursing department are assigned to group, Nursing, and the Nursing Weekly database is assigned to the Nursing group as well.  Here are snippets from the shibuser.txt and config.txt.

shibuser.txt:

If auth:urn:mace:dir:attribute-def:eduPersonOrgUnitDN eq "Nursing";
  Group +Nursing

config.txt:

Group Nursing

Title Nursing Weekly
URL ...

The concepts here can be extended to created more fine-grained policies if desired, but this should be enough example to have a sense for how this might be accomplished.

Step 4: EZproxy to enable Shibboleth access to resource providers

Wiki MarkupThe last step in the integration of Shibboleth and EZproxy is to configure EZproxy to be aware of resources that are Shib-enabled.    For these Shib-enabled resources, EZproxy can be configured to hand off to Shibboleth for authentication and authorization, rather than proxy the user's entire session.    One of the main benefits to this approach is to lower the amount of traffic that is proxied through ezproxy, which usually results in better performance and end user experience.    Another main benefit is that it allows, through Shibboleth, for resource providers to create personalized services for users in their interfaces, while maintaining the user's privacy and seamless experience. \ [Note, however, that to integrate that level of personalization, the IdP will need to be configured to release a personally identifiable attribute instead of the generic eduPersonEntitlement.    Refer to [Best Practice #1|https://spaces.at.internet2.edu/display/inclibrary/Best+Practices] for more information.\]

This step must be performed for each resource for which you wish to enable Shibboleth access.  The Registry of Resources (https://spaces.at.internet2.edu/display/inclibrary/RegistryOfResources) has been created to help facilitate this step.  In order to set up Shibboleth access to a resource through EZproxy, the resource provider should adhere to the Best Practices.  The Registry of Resources provides all of the details for each resource in terms of which resources adhere to the Best Practices, where to go for help, and sample configurations.  The text below explains how to use the Registry to enable Shibboleth access through EZproxy.

...