An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Glenn Wearen <glenn.wearen AT heanet.ie> [2015-02-13 16:00]:
> There seems to be an assumption by publishers that eduGAIN
> participating institutions will send ePSA and ePTID without being
> asked for these attributes.

A function of those publishers having "grown up" in the UKfederation,
which relies on these instead of the attribute (+ value) defined
specifically for that case, eduPersonEntitlement=common-lib-terms.

Of course convincing publishers that common-lib-terms is preferable
and that we'd like to use it is hard when much bigger federations
don't use that (or rather, the many IDPs in the bigger federations
don't use it).

With the old, now undesirable, method -- the SP Joining Every
Federation On the Planet (JEFOP) -- at least we had a set up and
integration phase with the publisher during which we'd also insist
that autorization happened at the SP (no "we don't need attributes"
nonsense, when the contract terms are in fact the common-lib-terms)
and that the common-lib-terms entitlement should be used.
And of course I could tune RequestedAttributes in our own copy to
match what we were able to negotiate.

Now with integration happening "merely" via eduGAIN we don't have any
contact to the publisher and hence even less influence on the authz
process at the SP, or what attributes are being used.
I.e., we're even more at the mercy of what the first-to-integrate,
-- which often equals the biggest federations -- think about these
things, or used to think (as getting changes deployed by ~1k IDPs is a
daunting task, of course.)

> Also, we’ve been studying the pattern of access to publishers for
> off-campus users at two Edugate institutions. Edugate accounts for
> up to 40% of sessions when compared with sessions delivered via the
> institutions library systems (i.e. proxy).  I believe that quoting
> this figure is helping convince publishers to take action, while at
> the same time convincing librarians to make sure their Edugate IdP
> is working with each publisher.

Thanks for sharing, I'm not sure at all how any of this relates to the
mail/thread you're replying to, the one where I asked about how we as
a community wanted to deal with especially publishers when it comes to
eduGAIN.
Discovery still seems to be driven by metadata feed which is then
equated with country/region/federation, causing our entities to either
only to show up if you select the UKfederation (which noone in her
right might would do to find an Austrian institution) or not at all,
where manual processes are required for setting up "federations".
Of course with eduGAIN there is no "federation" for eduID.at to set
up, as the SP and our IDPs already share metadata via eduGAIN.
So none of our IDPs are then visible at all.

I really think there should be a better way than asking publishers to
JEFOP (Join Every Federation On the Planet) only to have our IDPs show
up in their IDP discovery service and to have a chance at a word with
the publisher about standard attributes for authorization to library
resources.
-peter