Curtin University Acceptance Tests
Theme: WALAP Universities Authenticated Library Services
Identity Providers:
Three
WALAP Universities join the Federation as
IdPs (institutional) in 2006.
(It is understood that the remaining WALAP universities will join as institutional
IdPs in 2007. However these will not be included in the acceptance test).
Service Providers:
SP1:
Reciprocal Workstation Authentication Service (hosted at Curtin University)
The Public Workstation Authentication system enables authorised people at WAGUL universities to access library workstations and electronic scholarly information resources at Curtin LIS. It currently makes use of the WALAP eTrust Directory to authenticate users from the other WAGUL universities i.e UWA, Murdoch and ECU. The implementation of this access complements the general provision of 'walk-in' access. The application is web based and is currently hosted at Curtin. It relies on the clients identifying the University they are enrolled in as part of the login process followed by an LDAP look up of the appropriate eTrust directory. The system consists of .NET application that runs on the workstations and a Perl library that runs on the server to broker the LDAP requests.
SP2:
Reciprocal Borrower Check Service (hosted at Edith Cowan University).
The WAGUL Reciprocal Borrower Check system enables authorised people at WAGUL universities to perform searches for the current enrolment/employment status of reciprocal borrowers. The assumption is that all of the reciprocal borrowers are members of WAGUL universities. The application is web-based and is hosted at Edith Cowan University. It consists of a number of PHP scripts that query the WALAP eTrust Directory infrastructure to both authorise searchers and to obtain status information about reciprocal borrowers.
| Note from MAMS: Notice that this SP is much more difficult, since using Shibboleth means that there will no longer be a meta-directory containing all users. However, it is of direct relevance to our PeoplePicker service, which allows authN users to see some attributes of other Shibboleth members. Our current view expects the IdP to have a WS component that can use OpenSAML to create SAML assertions containing the necessary information. The expected scenario will be that authZ users (via a browser) will first retrieve a SAML assertion from their own IdP; next, this SAML assertion is used to authN against an external IdP's web service together with a query for relevant enrolment information. The client's SAML assertion is used to authZ the user, and to determine which user attributes the client can retrieve. This will probably require a special attribute release policy for authZ WAGUL members, so they can see the enrolment status of other members. |
Acceptance Test Procedure
Following are preliminary, high-level test procedures. Detailed procedures will be defined following discussion between MAMS and the project team.
- For IdP: At each of the three IdPs, I can login via Shibboleth as an authorized user to a JSP test page, showing the user's attributes. This may mean that you will have to create some guest account for us.
- For SP1: Login at any of the three IdPs as an authorized user via Shibboleth, and access Curtin's electronic scholarly information. Presuming there would be a difference between student access and staff access, we would like to test out both authorized users. Finally, from a demo point of view, we would like to run the same tests using default test users at MAMS-IdP (in level 2), such as our student, staff, member, or admin users. We can setup the required ARP to release the correct attributes.
- For SP2: Login at any of the three IdPs as an authorized user via Shibboleth, and check the enrolment status of a WAGUL member (identified by his EPPN or userid). Finally, from a demo point of view, we would like to access the service as well using the admin test user at MAMS-IdP (in level 2).
--
NeilWitheridge - 21 Jul 2006
to top