Authentication
From TDL Wiki
The Texas Digital Library provides multiple services, each of which interacts with users from multiple academic institutions across the State of Texas. Handling the authentication and identity management of all these users and services – determining who should have access to which services – is a key concern for the TDL.
Contents |
Logging in to TDL services
If you belong to a member institution that is part of the TDL Shibboleth Federation, you may log in to TDL services using your university ID and password (that is, the credentials you use to log in to secure online services at your university). If your university is non-Shibboleth institution, or you are a user from an institution outside the Texas Digital Library, you must create a TDL user account.
The TDL Discovery Service page
When you click "log in" from any TDL service, you will be taken to a Discovery Service (or "Where Are You From?") page that lists all TDL "shibbolized" institutions and gives the option of logging in (or creating) a TDL user account. 
Using your university ID to log in to TDL services
STEP 1: Choose your school.
From the TDL Discovery Service page, click on your university logo, and you will be taken to your university's login page.
Note: On the bottom right of the Discovery Service page, you will see "Remember my selection?" with a checkbox. If you prefer that the TDL authentication system remember your institution selection, you may check this box.
With the box checked, your choice from the Discovery Service page will be saved and you will not be asked again for as long as your browser window remains open. This means that if you log in to one TDL service, then go to a different TDL service and log in, you will skip the Discovery Services page and go directly to your university's login page.
STEP 2: Log in.
Enter and submit your login and password as you normally would when entering any secure online service at your university. Once you submit this information, you'll be taken back to the TDL service you started from.
Creating a TDL login ID and password
If your university is not listed on the TDL Discovery Service page, you need a TDL user account.
STEP 1: Sign up for a new account.
STEP 2: Create your account.
You will see an account creation form. Fill out this form and click "Validate Email Address."
STEP 3: Activate the account.
Check your e-mail. You should have received a message from TDL. Click on the link in the e-mail to activate your account.
STEP 4: Log in using your new TDL ID and password.
Use your e-mail address and password to log in. You will be sent back to the TDL service where you started the login process.
Shibboleth
In keeping with its commitment to the use of open-source technologies, the Texas Digital Library employs Shibboleth federated authentication software for authentication and identity management. The Shibboleth System is a standards based, open-source platform that allows TDL to authenticate users by leveraging its member institutions’ authentication and identity management systems.
With Shibboleth, faculty and staff at participating TDL member institutions can log on to TDL services using the ID and password they use at their home institutions. The home institutions (or identity providers) give TDL enough information about each faculty member to enable authorization. In this way, faculty members at TDL institutions do not have to create unique IDs and passwords for TDL services, and TDL can leverage the existing authentication infrastructures of its member institutions.
How does Shibboleth Work
- Request: First the user will request access to a resource provided by one of TDL’s services. If authenticated access is required, the user will be automatically redirected to the “where are you from” service. At the WAYF the user will be presented with a list of participating institutions.
- Source: Once at the WAYF, the user selects their home institution, and will be directed to an authentication website hosted by their institution. The user will enter their username and password using their local identity. A user may select TDL at the WAYF to provide non-validated identities to those who require access to TDL resources but are not from a participating institution. In this case, the TDL identity provider is able to act as their home institution.
- Delivery: Finally, after the user has successfully authenticated with their home institution, they are returned to the service provider. They have now been authenticated using Shibboleth and are able to use the resource provided by TDL.
LEARN Shibboleth Federation
In October 2009 TDL announced a partnership with the Lonestar Education and Research Network (LEARN) to collaborate on networking projects in service of Texas researchers and academics. One key part of the collaboration has been the development of a statewide Shibboleth Federation managed by LEARN.
The Shibboleth Federation sets the policies and manages the relationships among TDL service providers and its members’ identity providers. In the LEARN Federation, LEARN mediates the relationships between TDL services on one side and member identity providers on the other, essentially “vouching” that the information provided by identity providers is trustworthy.
TDL members within the LEARN Federation will deal directly with LEARN regarding issues with Shibboleth, NOT with the Texas Digital Library. Paul Caskey, of the University of Texas System, is managing the Federation for LEARN and will be the contact person for these issues.
LEARN Federation Contact:
Paul Caskey512-499-4591pcaskey@utsystem.edu
Data Management
Identity providers assert that, to the best of their knowledge, all attributes sent to service providers in the federation accurately represent information about the authenticated individual accessing the service provider resource.
Service providers agree to securely maintain any attributes received and not share these attributes with other organizations without both the user’s and institution’s consent.
Attributes
The TDL specifies a set of attribute definitions to support basic attribute-based authorization. These attributes will be used to support the services provided within the TDL consortium.
Two levels of attributes exist: required and recommended. Identity providers must be able to supply all attributes marked as required to any member that requests the attribute.
Identity providers need not be able to supply all recommended attributes, but when they do the meaning of that attribute must match the definition provided.
The list of attributes required by TDL service providers can be found on the TDL website at http://www.tdl.org/shibboleth.
Communication of Shibboleth Changes
Because of the distributed nature of Shibboleth, changes to any part can affect how the entire system works. As a result, it is important that any time an identity provider manager at a member institution, or the service provider manager at TDL, make a change to their Shibboleth instances, that they communicate these changes to the Federation. This includes changes to the attributes released by the identity provider or upgrades to a new version of Shibboleth.
To prevent problems, TDL encourages its members to communicate any changes they might make to Shibboleth to the LEARN Federation. To facilitate this communication, the TDL has set up a mailing list for identity provider managers to post questions, announce changes, and discuss other Shibboleth-related issues. The mailing list will be monitored by Paul Caskey of LEARN, as well as by technical personnel at the TDL.
Anyone interested in joining the TDL Shibboleth Users List can e-mail TDL at info@tdl.org.
