Subject Re: Report on disco-STEPS
From John Paschoud <j.paschoud@xxxxxxxxx>
Date Mon, 12 Jul 2010 08:06:53 +0100

On 12 July 2010 07:41, <alex.reid@xxxxxxxxxx> wrote:
Would it not be possible for the SP, when first
approached by a potential user, to send to the
WAYF the IP address from which the user is
accessing the SP?  If the WAYF were equipped with
a list of "standard" IP address ranges for each
IdP (ie ones which are assigned to that IdP
institution), it could be programmed to ask
*first* (before offering the whole list of IdPs)
if the one relating to that IP address was theirs.

I'm pretty sure we discussed this approach in a much earlier (and more-theoretical/less-desperate than today's) iteration of the "how do you scale the WAYF" conversation.  I can certainly remember thinking about the accessibility of a users IP address to the WAYF.  

One reason that it didn't go further, then, was because an argument being used for SPs to convert from IP-checking to enforce on-campus-use-only licences, to Shib (and authorised-use-anywhere), was "stop having to maintain all those pesky per-campus IP ranges".  And of course, this only provides a solution for on-campus users.

However, with the existing and unavoidable federation overhead of entity metadata refresh, adding a few more bytes to describe the potential IP range for on-campus users shouldn't be a big deal.  On a mega-WAYF scale, IP to identify country of location for a user is a lot simpler;  to suggest which WAYF might be offered as default.  The caution is that there's potential here for us to create some quite annoying end user interfaces!

What I don't remember is whether the discussion got as far as anyone documenting it.  A trawl of the earlier Internet2 Shib lists (which I haven't tried) might reveal it;  but you'd probably need to think of a smarter search term than just "WAYF and IP"!

John Paschoud
InfoSystems Engineer & Projects Manager, LSE Library
M: +44.7753 740526
Skype: paschoud
Visit for information about current & recent projects