Jorum from EDINA
Posted on Tuesday, 8 July 2008
Jorum is a JISC-funded collaborative venture in UK Higher and Further Education to collect and share learning and teaching materials, allowing their reuse and repurposing, and standing as a national statement of the importance of creating interoperable, sustainable materials. It is run jointly between the EDINA and Mimas national data centres.
| Org. | Service | Shib. | Attribute | Notes | Required |
|---|---|---|---|---|---|
| EDINA | Jorum | 1.3 | eduPersonScopedAffiliation eduPersonTargetedID givenName sn o ou | 1 2,9,12 5 5 5 5 5 | Yes Yes No No No No No |
WAYFless URL:
Jorum Depositor:
xxx?target=https://target.sdss.ac.uk/jorum/jorumlogin-shib%3FuserClass%3Dcontributor&shire=https://target.sdss.ac.uk/jorum/Shibboleth.sso/SAML/POST&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:edina.ac.uk:jorum
Jorum User:
xxx?target=https://target.sdss.ac.uk/jorum/jorumlogin-shib%3FuserClass%3DendUser&shire=https://target.sdss.ac.uk/jorum/Shibboleth.sso/SAML/POST&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:edina.ac.uk:jorum
where xxx is the IdP's SSO service location, such as https://idp.rummidge.ac.uk/shibboleth-idp/SSO
Please note that WAYFless URLs cannot be guaranteed to remain unchanged over time.
Log-in page: "Quick Links" on the left to separate "User" and "Contributor" login pages)
User Accountability: required (similar to Digimap).
This service is available for subscription to UK HE, FE & research councils through JISC Collections.
Notes:
1. The only attribute that an identity provider must release for its users to be able to access many services that are licensed for use by everyone at a particular organisation is eduPersonScopedAffiliation. This is a scoped attribute, which might, for example, have the value "member" in scope "uni.ac.uk", often written as:
It is used for the basic authorisation decision: does uni.ac.uk subscribe to the service in question? If so, the user is allowed access. The service provider will maintain its own list of which organisations (scopes) can access its service. For allowed organisations, the federation's Technical Recommendations for Participants indicate that, in HE/FE, users with scoped affilitation values from the set {member, student, staff, faculty, employee} are typically authorised to access content licensed on the basis of the JISC Model Licence, while {affiliate, alum} are not.
An identity provider can generate eduPersonScopedAffiliation automatically (without an attribute store) by setting the required scope in resolver.xml, as described in SetupIdP.
2. Many services can make use of the eduPersonTargetedID attribute. This is a persistent opaque identifier, which enables service personalisation (remembering data about a user over different login sessions) without the service provider knowing who the user is. If the identity provider supplies the eduPersonTargetedID attribute, the session is treated similarly to an Athens personal account. Otherwise, the service's personalisation features (e.g., saved searches) may be disabled, though the service will still function in the same way as with Athens shared accounts. With some services (e.g., Zetoc Alert) this attribute is mandatory. If so, it is marked as "Required/Yes" in the table in Attribute Usage.
A Shibboleth identity provider can generate the opaque eduPersonTargetedID attribute automatically from some other stored attribute that holds the user id in the clear. All values of the stored attribute must be unique, and, preferably, not subject to reuse. If the only suitable available stored attribute might be reused then care must be taken (particularly for organisations asserting user accountability) to ensure that no value of that attribute is reallocated to another user for at least two years after being cancelled.
The actual modification depends on the contents of your directory, but if there is a suitable attribute in the directory called, say, "uid" then you should modify your resolver.xml file to include the following:
<PersistentIDAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonTargetedID"
scope="SSSSSSSS" sourceName="uid">
<DataConnectorDependency requires="directory"/>
<Salt>XXXXXXXXXXXXXXXXXXXXXXX</Salt>
</PersistentIDAttributeDefinition>
Replace the scope "SSSSSSSS" with the domain for which the attribute is to be asserted, e.g., "uni.ac.uk". The <Salt> is a constant, arbitrary value that you should choose once and keep secret. The value must be at least 16 characters long, otherwise the software will silently ignore it and expect the value to be supplied from a Java keystore. The Salt value is used to generate the persistent opaque identifier from the scope and some other attribute, normally the user id (assumed in the example above to exist within the directory as an attribute called "uid"). Its purpose is to prevent attempts to work back from the opaque identifier to the user's identity by combining knowledge of the scope and the hash function used with an exhaustive search of the possible user ids.
The default Shibboleth attribute release policy does not release eduPersonTargetedID. You must therefore manually edit the arp.site.xml file to enable this feature, as described under Attribute Release below.
Please note a caveat about the definition of eduPersonTargetedID in some older versions of the resolver.xml file.
5. Some services can make use of optional attributes if an identity provider offers them. For example, MIMAS Landmap and EDINA Digimap make use of the user's given name (givenName), surname (sn) and organisational unit (ou, treated as a Department name), if present. (Digimap uses these attributes, if present, to populate its initial online user registration form, not for ordinary logins). If such optional attributes are not supplied by the Identity Provider, the service may require the user to enter the same information manually, and these entries may need to be manually checked by the operator of the service.
9. Some services (including EDINA services which require individual user registration, and MIMAS Landmap & CrossFire) will only grant access to users from an identity provider marked in the UK federation metadata as offering user accountability as defined in section 6 of the federation's Rules of Membership. Identity providers that offer user accountability are marked by having an <AccountableUsers> element within the <Extensions> element of the IdP's <EntityDescriptor>.
12. This service provider requires that an identity provider presents eduPersonTargetedID. This allows logins to be related back to the user's registration details. Configuration of eduPersonTargetedID is described in note 2 above.