| USMAI Consortium of Libraries |
| University System of Maryland and Affiliated Institutions |
Top of PageShibboleth/ILLiad Integration
Overview
This document includes a few notes about how we set up the interaction between ILLiad and Shibboleth at USMAI. At the time of writing this document, and of installing all of the pieces, we were using ILLiad 7.1.8 and Shibboleth SP version 1.2.1. We will be upgrading both of these pieces in July/August 2007, and will provide notes at that time for both SP 1.3 and ILLiad 7.2.
It is important to note right off the bat that in the ILLiad/Shibboleth setup, ILLiad expects Shibboleth to do the authentication AND the authorization. We needed a solution where Shibboleth provided the authentication and ILLiad provided the authorization.
Shibboleth authenticating for ILLiad
We wrapped Shibboleth SP around the illiad web interface and required shib login. In this way, in order to access ILLiad's web interface, a user must authenticate via Shibboleth. (We made exception to have lending interface such that lending did not use Shibboleth, since users are different, so this was not protected by Shib, and was moved to a different web directory.) We also created a separate logout that logs user out of Shib SP, and redirects them through the logout from the IdP.
So, at this point in the process, Shibboleth is "protecting" ILLiad, but not yet passing ILLiad any user information.
Atlas added some configurations, CoSignSupport, CoSignWebPath, and WebAuthnUserVariable, in order to map a Shibboleth user attribute to an ILLiad user account. (CoSignSupport set to Yes; CoSignWebPath set to path to web files on C:\ drive; WebAuthnUserVariable set to the Shib header where user attribute is supplied via Shibboleth.)*
We set logout url (WebLogoutURL) through IdP logout with a return url through SP logout: https://login.lib.umd.edu/shibboleth/logout?url=http://illexpress-sm.umd.edu/logout
SP logout destroys SP cookie and redirects to library home page.At this point, ILLiad is aware of one of the user attribtues that SHibboleth provides, and it uses this user attribute to map to an ILLiad user account.
[ILLiad 7.2 note: In version 7.2, they have renamed these variables to RemoteAuthSupport, RemoteAuthUserVariable, RemoteAuthWebLogoutURL, and RemoteAuthWebPath. See RemoteAuth Authentication for more details
Authorization in ILLiad
With the above setup, ILLiad assumes that everyone that gets past Shibboleth is a valid user and can use the ILLiad system. Users are allowed to self-register, and can choose their own attributes during registration.
We wanted to map user attribtues from Shibboleth directly into the registration process. This would ease the registration process for the end user, and it also would allow us to enforce certain user attributes, like borrower type and expiration date.
We did this through a combination of ASP and Javascript, which I have included for reference. This is somewhat of a hack, because it is all in the html/asp, but it does the trick. Here is a simple description of the main components of our scripting:
- include an address.asp page into the NewUserRegistration.html via an IFRAME
- address.asp takes Shibboleth attributes from http headers and maps them into javascript variables and then sets the values of the user registration form with these javascript variables
- borrower type field is hidden in the user registration process, so user cannot change the value that Shibboleth provides
- we map "invalid" borrower types, as well as expired patrons, to an ILLiad status of "Blocked"
- we then create web pages with the Blocked extension, which allows us to customize web pages by borrower types, and essentially block users from functionality
- address.asp is only executed during initial registration process
- we also include an expire.asp page into most of our html via another IFRAME
- the expire.asp checks the expiration date supplied by Shibboleth, and redirects the browser to a html page with an expired message
- expire.asp is then executed each time a user accesses ILLiad
Reference
- address.asp
- expire.asp
- NewUserRegistration.html
- logout/index.html
- Relevant settings from Shibboleth.xml
Shibboleth at USMAI
| USMAI | ITD | Metalib/sfx | Aleph 15.2 | Aleph 16.2 |
| © 2005 University System of Maryland and Affiliated Institutions. Privacy policy |