Fri, Nov 11, 2005
As we’re live through the Athens Shibboleth Gateway, we put a link to My Athens in our development CLAN and started testing the gateway. In principle, it’s a great idea, using your UHI Identity to authenticate to Athens resources. Too good to be true? Unfortunately yes. Here’s what we found.
List of resources via My AthensGoing to the My Athens site, you have the main classic Athens login box displayed predominantly on the page. It’s not obvious how you get in with your UHI Identity. To do so, you have to pretend you’ve forgotten your Athens account details and clck on the Athens organisation list link. Then you must search for your institution and then be redirected to your IdP. Logging in at your IdP then displays the list of resources you can access.
Summary Once you’ve found your institution and authenticated at your IdP, you’re then redirected seamlessly to the list of resources. However, it’s not obvious how you search in the first place. There’s no information on the My Athens page on how to use the gateway.
List of resources directly through the gatewayIn this scenario, it’s possible to construct a URL that contains the UHI providerId and go straight through the gateway to the list of resources. However, if the cookie isn’t set, you end up at a dead end page telling you that you’ve just been identified as coming from UHI and nothing else. You then have to repeat the process, which then bypasses the dead end page as the cookie is set. You then go to your IdP and authenticate and see the list of resources.
Summary A definite non starter due to the dead end page. If the cookie isn’t set, a user will be lead down the path to the resource list and dumped in the middle of electronic nowhere.
Linking directly to individual Athens resourcesThis is a good way to get to a resource without being trapped by the dead end page. It involves a user unfriendly URL so we provide a redirection service that takes the resource code and contstructs the big URL on the fly. This works well.
Summary The easiest way to access an Athens resource through the gateway, though providing a redirection service for staff to construct user friendly URLs is advised.
The Cookie ProblemAlthough we can access resources via the gateway, doing so then stops one accessing resourcs via classic Athens authentication. So all those resources you pay for but are not gateway enabled are inaccessible to a user who has previously accessed a gateway enabled resource, as the cookie will be set on their machine. The only workaround is to delete the cookie, which isn’t an acceptable solution for end users.
Summary It’s a showstopper for us.
So, what are our conclusions? We can live with linking to resources directly but the cookie problem means we can’t offer this as a production service. The word on the street is it will probably be a temporary issue as more and more resources as gateway enabled. However, I think it’ll be a problem for a long time yet as even some of our resources which are advertised as gateway enabled and are visible in the list of resources through the gateway, are not in fact gateway enabled. More confusion for our users.
Local authentication is definitately the way ahead though and we await developements at Eduserve with baited breath.