Jorum from MIMAS
Page last modified on 12 June 2012, at 10:49 AM (initially posted on 8 July 2008)
Jorum is a JISC-funded collaborative venture in UK Higher and Further Education to collect and share learning and teaching materials, allowing their reuse and repurposing, and standing as a national statement of the importance of creating interoperable, sustainable materials.
| Org. | Service | Attribute | Notes | Required |
|---|---|---|---|---|
| MIMAS | Jorum | eduPersonScopedAffiliation eduPersonTargetedID givenName sn o ou | 1 2,9,12 5 5 5 5 5 | Yes Yes No No No No No |
Log-in page: "Quick Links" on the left to separate "User" and "Contributor" login pages)
User Accountability: required (similar to Digimap).
This service is available for subscription to UK HE, FE & research councils through JISC Collections.
Notes:
1. The only attribute that an identity provider must release for its users to be able to access many services that are licensed for use by everyone at a particular organisation is eduPersonScopedAffiliation. This is a scoped attribute, which might, for example, have the value "member" in scope "uni.ac.uk", often written as:
It is used for the basic authorisation decision: does uni.ac.uk subscribe to the service in question? If so, the user is allowed access. The service provider will maintain its own list of which organisations (scopes) can access its service. For allowed organisations, the federation's Technical Recommendations for Participants indicate that, in HE/FE, users with scoped affiliation values from the set {member, student, staff, faculty, employee} are typically authorised to access content licensed on the basis of the JISC Model Licence, while {affiliate, alum} are not.
While a Shibboleth identity provider can generate eduPersonScopedAffiliation statically by setting the required value in attribute-resolver.xml, this should only be done when it is known that all users are authorised. Otherwise, the value can be picked up from your LDAP / Active Directory as described on the IdP setup page.
Users of other IdP software should check their documentation.
2. Many services can make use of the eduPersonTargetedID attribute. This is a persistent opaque identifier, which enables service personalisation (remembering data about a user over different login sessions) without the service provider knowing who the user is. If the identity provider supplies the eduPersonTargetedID attribute, the session is treated similarly to an Athens personal account. Otherwise, the service's personalisation features (e.g., saved searches) may be disabled, though the service will still function in the same way as with Athens shared accounts. With some services (e.g., Zetoc Alert) this attribute is mandatory. If so, it is marked as "Required/Yes" in the table in Attribute Usage.
For a Shibboleth IdP, generation of eduPersonTargetedID in attribute-resolver.xml is described on the IdP setup page.
Release of eduPersonTargetedID by attribute-filter.xml is described further down the same page.
Users of other IdP software should check their documentation.
5. Some services can make use of optional attributes if an identity provider offers them. For example, MIMAS Landmap and EDINA Digimap make use of the user's given name (givenName), surname (sn) and organisational unit (ou, treated as a Department name), if present. (Digimap uses these attributes, if present, to populate its initial online user registration form, not for ordinary logins). If such optional attributes are not supplied by the Identity Provider, the service may require the user to enter the same information manually, and these entries may need to be manually checked by the operator of the service.
9. Some services (including EDINA services which require individual user registration) will only grant access to users from an identity provider marked in the UK federation metadata as offering user accountability as defined in section 6 of the federation's Rules of Membership. Identity providers that offer user accountability are marked by having an <AccountableUsers> element within the <Extensions> element of the IdP's <EntityDescriptor>.
12. This service provider requires that an identity provider presents eduPersonTargetedID. This allows logins to be related back to the user's registration details. Configuration of eduPersonTargetedID is described in note 2 above.