Subject RE: affiliate student?
From "RL 'Bob' Morgan" <rlmorgan@xxxxxxxxxxxxxx>
Date Tue, 6 Jul 2010 09:22:09 -0700 (PDT)

Just as a reality check - would these be the same publishers that have been happy using IP address "authorisation" for the past decade? I'd have a lot of sympathy for any IdPs reluctant to incur the cost of maintaining individual ePE values for every one of those :-(

Here's an anecdote along this line. At my university we have had an shared-facilities arrangement with a local community college that includes giving their students and staff UW NetIDs for various kinds of access. Since these people are not UW students/staff, we gave them "affiliate" affiliations in ePSA, not "member".

The library came to us at some point saying that these students weren't getting access to a licensed provider as they were supposed to because it was looking for "member@xxxxxxxxxxxxxx", so could we fix that? We said hmm, the right way to do this would be to add an attribute value for them as "member@<otherplace>.edu" and have the provider modify their access rules to look for that. While we were thinking about how to do that (it would require adding a new scope in our InCommon metadata, currently the subject of some discussion) the provider said "well, we solved the problem by just removing the check for 'member@xxxxxxxxxxxxxx'". We said, uh, that seems like a bad idea, and they said "problem solved, moving on".

So indeed the bar of effort that SPs are willing to put in to control access, at least in some cases, is quite low. I think this is why using ePE is less common than we might wish: the effort of defining entitlement values, and checking for them, is just too much work for many SPs, regardless of how much work it might be for IdPs.

 - RL "Bob"