Subject Re: Report on disco-STEPS
From John Paschoud <j.paschoud@xxxxxxxxx>
Date Mon, 12 Jul 2010 11:02:45 +0100

I agree with Nicole on the stance of many UK academic libraries.  There is still a confusing mix of access methods (sometimes well disguised from end users by library portals, sometimes less so), including a fallback on IP for most on-campus access to most resources.  Partly this is to enable (physically on site) 'library visitors' to have access that's allowed by many licenses.  Some libraries may do no identity management of such people at all (i.e. anonymous public access).

Where users access resources via a well-managed library portal (e.g. WAYFless URLs are used where possible.  This works for affiliated users onsite and offsite;  but can confuse non-affiliated onsite users.  

The downside of this is that many (affiliated) users are not exposed to the FAM login process whilst they are onsite (and in easy reach of helpdesks etc), and may meet it first when they are working off campus.  

For as long as we have to accept that Where-You-Are is part of license terms for resources, as well as What-You-Are ("member@xxxxxxxxxxx" etc), there could be some advantages to any national education federation in bundling this with other overheads of running a WAYF service (which after all is hardly a BIG job):

1) Publishers/SPs could be sold the added benefit of not needing to maintain IP ranges for customer institutions any more;

2) All end users could be channelled into a single consistent access process (Location-aware FAM) that matched the Where... and What... terms of many licences.

Another way to do this of course would avoid maintenance of IP range lists at all by a WAYF (or by SPs), and add IP-checking to the IdP:  If a user was (appeared to be from current IP address) "in the library" or "on campus", a Location-aware IdP could (when a user was in a recognised IP range/'place') return an agreed EduPersonEntitlement value (like "InLibrary@xxxxxxxxxxxxx" or "OnCampus@xxxxxxxxxxxxx" to an SP, and skip challenging for a password.  

SAML 2 and Shib provide (don't they?) for an SP to come back to an IdP and request further attributes if needed for the access level requested, which might include invoking the usual authentication challenge.

Or have I picked up the wrong end (or the wrong stick) too???



On 12 July 2010 09:30, <n.harris@xxxxxxxxxx> wrote:
Just to play devils advocate for a moment (because I'm really all for  anything that improves user experience).

I'm wondering if demand for this meets effort required to maintain?

Most sites offering services to institutions offer IP 'authentication' (she shudders) as soon as you hit their home page, I.e. the step before the wayf.  Thus a wayf that recognises ip is only useful if you want personalised user login on top off ip authentication.  Regrettably, in the uk at least, take up of the benefits of logging in on top of an ip authentication is poor and actively discouraged by some librarians. Sigh.

On the otherhand, this may be an experience improvement that would help significantly in pushing this area. You are fighting against user inertia, librarian inertia and publisher inertia I'd suggest it would have to be zero additional effort on behalf of the SP.

Sorry, I've obviously started the week in a negative mood :)
Sent using BlackBerry

----- Original Message -----
From: Andreas Åkre Solberg <andreas.solberg@xxxxxxxxxx>
To: Andrew Cormack <Andrew.Cormack@xxxxxx>
Cc: John Paschoud <j.paschoud@xxxxxxxxx>; REFEDS list <refeds@xxxxxxxxxx>
Sent: Mon Jul 12 09:12:50 2010
Subject: Re: [refeds] Report on disco-STEPS

On 12. juli2010, at 09:41, Andrew Cormack wrote:

> Possibly a belated Friday idea, but since we're only looking for hints, do we actually need to actively maintain a full list of IP address mappings? Wouldn't the web2.0 way to do it be to look for what choice had previously been made by 'nearby' IP addresses?
> Clearly there's a small information leakage there - "someone from your site has been here before" - and the WAYF needs to remember some information linked to, say, a /24. People accessing from home via a broadband ISP are going to get slightly random results, but I think that's true of any scheme that tries to use IP addresses as hints.

I've been thinking about this as well. I also planned to implement a proof of concept, but never got to it.

Letting the wayf maintain a list of associations (IP addresss to IdPs); and then sorting the list of IdPs based upon a scoring rule. For a visiting user; each stored association  would contribute a score to a IdP based upon how many bits the current user's IP share with the associated IP in it's largest common prefix.  This system will learn over time, and do not need any configuraiton.

An interesting excercise would be to implement this system in a wayf, letting the system guess what the user would choose; and then log on which place on the ordered list the user really choose. Say, if 95% of all users chooses from the top 5 list, then I would say the idea would be improve the user experience a lot.

Wherever there is a correlation between something the WAYF knows and 'which IdP', the Wayf might use it for what it is worth in order to make a sucky user interface a little less sucky. There definitively is a correlation on both IP address, geo location, user's earlier preferences, which SP the request comes from, the accept-language header, etc.


This email has been scanned by the MessageLabs Email Security System.
For more information please visit