A while back I talked about the need for a ‘Where Are You Right Now?’ service within the UK federation. I’m pleased to say this work is now complete and ready for you to use.
Permission to access academic resources is typically either achieved in one of two ways (ignoring some of the more spurious access approaches out there):
- Via IP recognition. This approach does not in any way authenticate the user, but the user’s apparent location based on the IP address of the device being used at the time, or;
- Via username and password (or other credentials). These enable a individual user to be identified but do not typically carry information about user location in the same transaction.
Whilst it is of course possible for a resource to check both, it is difficult to make complex or granular decisions based on this information alone as an IP ‘authentication’ is typically an all or nothing binary decision. If you are in that IP range, you get access to everything….if you are not, you get access to nothing.
The UK federation has recently been exploring use cases where location information is both important AND granular alongside an individual unique authentication. There are some good use cases for this:
- Resources that can only be used by a named individual when they are in a specific room – such as an exam resource or a highly protected research resource;
- Walk-in access – where only specific resources are permitted to people who ‘walk-in’ to the library or campus.
To meet this demand, the UK federation has developed a ‘location assertion’ extension to the Shibboleth software. This can be downloaded and implemented by your IT department. The plugin creates attributes by checking if the IP address of the user agent, at the time of authentication, matches a given range of IP addresses identified
by “CIDR blocks”, which you will more commonly recognise as IP range figures such as: “192.0.2.0/24”.
To demonstrate how it works, this is one of the rare examples where showing the metadata can actually help provide clarity. Within the metadata configuration for your IdP, there will be a new section with the id ‘userAgentAttributes’ – like this:
A range of different CIDR blocks can then be cited, for example:
Individual machines can be expressed as entitlement values, for example:
For walk-in access, this would mean that you could safely manage a couple of guest accounts for library access on campus and hand them out to walk-in users, knowing that if they attempt to use the resource off-campus the correct location assertion will not be passed.
The UK federation already has uptake from the schools sector for this extension and would be very interested in feedback and possible use cases from UK HE and FE. We invite you all to download and explore the extension and its possible use.
So what are the possible drawbacks? The main risk I can see with this is general publisher apathy, which we struggle against all the time. Whilst the education sector is developing more and more sophisticated tools to ensure that the complex terms and conditions of academic licenses are met, publishers are repeatedly failing to make proper use of the technology, meaning that the wrong groups are gaining access to the resources. A classic example of this is publishers who ignore the values expressed in ScopedAffiliation fields (i.e. affiliate, member, student) and grant equal access to those groups. It is easy to imagine such a publisher ignoring the location assertion and making the technology development irrelevant.
I don’t have any magic answers to how to improve publisher behaviour and engagement, but I do think this extension is a great piece of work designed and developed to address a real community need – which is exactly what the federation should be doing. It’s now over to you to see what we can make of these tools.
*angle brackets have been harmed during the making of this blog post for formatting reasons. Money has been donated to the society for orphaned angle brackets.