Subject RE: Report on disco-STEPS
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Mon, 12 Jul 2010 10:46:40 +0000

I think there are already two (the joy of standards) ways to express "person present on campus". InCommon, as far as I know, use 'lib-common-terms', whereas we needed a scoped way of saying the same thing so there's an affiliation of 'library-walk-in'.

One of the difficulties with making off-campus access completely transparent is that ultimately you can't infer it from any sort of location. From home my IdP is, whereas my wife's (sitting next to me on the couch) is :-(


Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

> -----Original Message-----
> From: john.paschoud@xxxxxxxxx [mailto:john.paschoud@xxxxxxxxx] On
> Behalf Of John Paschoud
> Sent: 12 July 2010 11:03
> To: REFEDS list
> Subject: Re: [refeds] Report on disco-STEPS
> I agree with Nicole on the stance of many UK academic libraries.  There
> is still a confusing mix of access methods (sometimes well disguised
> from end users by library portals, sometimes less so), including a
> fallback on IP for most on-campus access to most resources.  Partly
> this is to enable (physically on site) 'library visitors' to have
> access that's allowed by many licenses.  Some libraries may do no
> identity management of such people at all (i.e. anonymous public
> access).
> Where users access resources via a well-managed library portal (e.g.
> WAYFless URLs are
> used where possible.  This works for affiliated users onsite and
> offsite;  but can confuse non-affiliated onsite users.
> The downside of this is that many (affiliated) users are not exposed to
> the FAM login process whilst they are onsite (and in easy reach of
> helpdesks etc), and may meet it first when they are working off campus.
> For as long as we have to accept that Where-You-Are is part of license
> terms for resources, as well as What-You-Are ("member@xxxxxxxxxxx"
> etc), there could be some advantages to any national education
> federation in bundling this with other overheads of running a WAYF
> service (which after all is hardly a BIG job):
> 1) Publishers/SPs could be sold the added benefit of not needing to
> maintain IP ranges for customer institutions any more;
> 2) All end users could be channelled into a single consistent access
> process (Location-aware FAM) that matched the Where... and What...
> terms of many licences.
> Another way to do this of course would avoid maintenance of IP range
> lists at all by a WAYF (or by SPs), and add IP-checking to the IdP:  If
> a user was (appeared to be from current IP address) "in the library" or
> "on campus", a Location-aware IdP could (when a user was in a
> recognised IP range/'place') return an agreed EduPersonEntitlement
> value (like "InLibrary@xxxxxxxxxxxxx" or "OnCampus@xxxxxxxxxxxxx" to an
> SP, and skip challenging for a password.
> SAML 2 and Shib provide (don't they?) for an SP to come back to an IdP
> and request further attributes if needed for the access level
> requested, which might include invoking the usual authentication
> challenge.
> Or have I picked up the wrong end (or the wrong stick) too???
> John
> On 12 July 2010 09:30, <n.harris@xxxxxxxxxx> wrote:
> 	Just to play devils advocate for a moment (because I'm really all
> for  anything that improves user experience).
> 	I'm wondering if demand for this meets effort required to
> maintain?
> 	Most sites offering services to institutions offer IP
> 'authentication' (she shudders) as soon as you hit their home page,
> I.e. the step before the wayf.  Thus a wayf that recognises ip is only
> useful if you want personalised user login on top off ip
> authentication.  Regrettably, in the uk at least, take up of the
> benefits of logging in on top of an ip authentication is poor and
> actively discouraged by some librarians. Sigh.
> 	On the otherhand, this may be an experience improvement that
> would help significantly in pushing this area. You are fighting against
> user inertia, librarian inertia and publisher inertia I'd
> suggest it would have to be zero additional effort on behalf of the SP.
> 	Sorry, I've obviously started the week in a negative mood :)
> 	--------------------------
> 	Sent using BlackBerry
> 	----- Original Message -----
> 	From: Andreas Åkre Solberg <andreas.solberg@xxxxxxxxxx>
> 	To: Andrew Cormack <Andrew.Cormack@xxxxxx>
> 	Cc: John Paschoud <j.paschoud@xxxxxxxxx>; REFEDS list
> <refeds@xxxxxxxxxx>
> 	Sent: Mon Jul 12 09:12:50 2010
> 	Subject: Re: [refeds] Report on disco-STEPS
> 	On 12. juli2010, at 09:41, Andrew Cormack wrote:
> 	> Possibly a belated Friday idea, but since we're only looking
> for hints, do we actually need to actively maintain a full list of IP
> address mappings? Wouldn't the web2.0 way to do it be to look for what
> choice had previously been made by 'nearby' IP addresses?
> 	>
> 	> Clearly there's a small information leakage there - "someone
> from your site has been here before" - and the WAYF needs to remember
> some information linked to, say, a /24. People accessing from home via
> a broadband ISP are going to get slightly random results, but I think
> that's true of any scheme that tries to use IP addresses as hints.
> 	I've been thinking about this as well. I also planned to
> implement a proof of concept, but never got to it.
> 	Letting the wayf maintain a list of associations (IP addresss to
> IdPs); and then sorting the list of IdPs based upon a scoring rule. For
> a visiting user; each stored association  would contribute a score to a
> IdP based upon how many bits the current user's IP share with the
> associated IP in it's largest common prefix.  This system will learn
> over time, and do not need any configuraiton.
> 	An interesting excercise would be to implement this system in a
> wayf, letting the system guess what the user would choose; and then log
> on which place on the ordered list the user really choose. Say, if 95%
> of all users chooses from the top 5 list, then I would say the idea
> would be improve the user experience a lot.
> 	Wherever there is a correlation between something the WAYF knows
> and 'which IdP', the Wayf might use it for what it is worth in order to
> make a sucky user interface a little less sucky. There definitively is
> a correlation on both IP address, geo location, user's earlier
> preferences, which SP the request comes from, the accept-language
> header, etc.
> 	Andreas
> 	_________________________________________________________________
> _____
> 	This email has been scanned by the MessageLabs Email Security
> System.
> 	For more information please visit
> 	_________________________________________________________________
> _____