Transcript UCL’s preparations for Shibboleth

UCL LIBRARY SERVICES
UCL’s preparations for
Federated Access Management
Margaret Stone
IT Services Development Officer
UCL Library Services
[email protected]
UCL LIBRARY SERVICES
UCL’s preparations for
Federated Access Management (FAM)
 Background - UCL Library Services
 Decision-making
 Roadmap & practicalities
 Current position & plans
 The user experience - considerations
UCL LIBRARY SERVICES
UCL Library Services
 UCL profile:8,000 staff (including 4,000 academic and
research), 19,000 students. Research-intensive.
 Broad range and large volume of electronic library resources
(11,000 ejournals; 250 subscription databases; ebooks)
 Very high proportion of offsite access to resources
 Moved from “classic” Athens to AthensDA during 2005/6
 Also use EZProxy for offsite access to (Athens and)
non-Athens resources
UCL LIBRARY SERVICES
From Athens to FAM – decision-making
 AthensDA: no more admin of separate credentials
 Athens charging in 2008  looked at Shibboleth
 Shibboleth Identity Provider set up in 2006 during
JISC-funded project (ShibboLEAP)
 Vital partnership with UCL Information Systems Dept
 User directory already part of AthensDA
 Shibboleth benefits: international standards,
non-library federation + granular authorisation
 Shib-Athens gateway to cover non-migrated resources
Made apparent sense to move…
UCL LIBRARY SERVICES
AthensDA to Shibboleth – original roadmap




Install and test Shibboleth Identity Provider
Join the UK Access Management Federation
Register Shib Identity Provider with Athens (testing)
Test compliance of Athens resources with the
Shib-Athens gateway
 Plan strategy for non-compliant resources
 Consider best access route for each resource
(gateway / direct Shib / proxy / other)
 Plan end-user information
 Switch from AthensDA to Shib IdP
UCL LIBRARY SERVICES
Practicalities: Library-IT Partnership
 Joint project: Library Services and Information Systems
 Feeds into implementation of UCL’s Information Strategy
 Collaborative issues:
-
Identity Provider administration
Federation registration
User status re: licences (staff, student, honorary staff only)
Shibboleth attribute release policy
Logs and trouble-shooting
HTML login screen
UCL LIBRARY SERVICES
Practicalities: Testing mechanisms
 Monitor which resources offer Shib access
 Look for both pilot testing and live services
 Contact each provider to register and/or check
requirements
 Shib-Athens Gateway testing via special cookie
 Soft launch of some services, eg ScienceDirect
 Special URLs, eg MIMAS CrossFire
UCL LIBRARY SERVICES
Practicalities: Usage so far
 Monitor destination logs of Shib IdP
 Current usage per day
(number of logins):
•
•
•
•
1300 EZProxy
250 MetaLib
100 ScienceDirect
A few others
UCL LIBRARY SERVICES
However…
Our plan to migrate from Athens hinged on
the JISC-funded Shib-Athens gateway…
UCL LIBRARY SERVICES
Shib-Athens gateway
Shibbolethauthenticated
users
Athens-protected
resources
 Use for resources which won’t be Shibbed by Aug 2008
 Nearly all Athens resources are compliant.
Exceptions listed on Athens website.
 Otherwise, behaves just like AthensDA
 To be provided by OpenAthens from August 2008
Photo by paparutzi displayed on Flickr.com
UCL LIBRARY SERVICES
AthensDA to Shibboleth – current position
 Consider local financial implications of using the gateway
via OpenAthens
 Monitor usage of resources via current access routes
 Await further information from JISC
 Monitor Shibboleth/Federation status of resources
 Consider best access route for each resource
(gateway / direct Shib / proxy / other)
 Decide how to proceed from August 2008
 Plan end-user information
UCL LIBRARY SERVICES
FAM status of UCL’s Athens resources
 125 Athens
resources
21
 Readiness for
Shibboleth from
31/7/08 (JISC)
Due 31/7/08
26
Planned
Partway there
29
 Can be (fairly)
confident about
47 so far!
Ready
39
No evidence
10
UCL LIBRARY SERVICES
The user experience…
UCL LIBRARY SERVICES
UCL LIBRARY SERVICES
UCL LIBRARY SERVICES
UCL LIBRARY SERVICES
UCL LIBRARY SERVICES
http://libproxy.ucl.ac.uk/login?url=http://aapgbulletin.datapages.com/
UCL LIBRARY SERVICES
UCL LIBRARY SERVICES
User guidance
 Refer to “e-resource access”, with Athens as one subset
 Describe how to login both via library-controlled links and
via the resource homepage
 Show some examples of how to find the login box on the
resource homepage
UCL LIBRARY SERVICES
UCL LIBRARY SERVICES
The user experience
Changes from Aug 2008:
1. Access from Library-controlled links
2. Access from resources directly
3. Personalisation features
UCL LIBRARY SERVICES
1. Librarycontrolled links
 Mostly EZProxy* (IP authentication + proxying permitted)
 Shibboleth where possible
 Some Athens (gateway) ?????
*EZProxy itself is Shibbolized
UCL LIBRARY SERVICES
2. Direct from the resource
 Most controlled by IP address on-campus
 Many “Institutional login” or similar (Shibboleth)
 Some Athens (gateway) ?????
 No EZProxy!
UCL LIBRARY SERVICES
3. Personalisation features
 Most Athens resources which offer alerts etc.
require separate registration
(username/password)
 Exceptions include ScienceDirect, Zetoc,
Digimap, Dialog DataStar, NetLibrary,…
 For these, saved searches, alerts etc are
tied to the Athens ID – beware!
 Zetoc allows transfer to Shibboleth ID
 Want to minimise re-registration
UCL LIBRARY SERVICES
So in summary…
 UCL is ready to go with Shibboleth, but…
 …largely due to support from JISC/institution/IS
 …and via a long testing phase due to shifting goal posts
 User experience is very important, and we want to get the
transition right
 We may need to go with OpenAthens in short term
(for the user experience)
 End goal is still full Shibboleth
UCL LIBRARY SERVICES
Thank you – questions welcome at the end
[email protected]