you have two ways for getting access to bibliographical databases via FedAuthn:
- looking for the paper you want to read/download on UniCA Libraries webpage and clicking on UniCASearch; as soon as you have found your paper, click on “Availables services” for getting the list of sites from which you can daownload/access it (obviously, if you’re connected to UniCA wired or wifi network you’ll be recognized by IP and you can download/read it in full text just by clicking on “Read in PDF” link). If you aren’t connected to UniCA network, you must login to the site hosting your paper via Federated Authentication (usually shown as “Institutional login” or “Shibboleth login”). You must choose IDEM-GARR in Federations list (if any) or directly Cagliari University in Universities list and you’ll be redirected to our Shibboleth authn page where you must log in using your UniCA credentials. In case of successful login, you’ll be redirected to requested publication with download/read in full text permissions, even if your IP address isn’t in UniCA network range;
- if you already know in which bibliographical database your publication is stored, go on Servizi IDEM page in this site (is in italian but actually it contains just a links list) and from there click on link to requested bibliographical database; usually you’ll get its Federated Authenticatio login page and then you can go on as stated in step before (looking for UniCA in Universities list and so on …).
You can find more informations and examples on IDEM Howto page on this site (in italian). In case of need you can contact us by writing to idem-help AT unica.it or idem-help-studenti AT unica.it (if you’re a student).
About user attributes
Another feature that most services take advantage of when using Shibboleth is the ability to receive data about the user from the Identity Provider. This data, known as user attributes, can be anything that the Identity Provider knows about the user and that may be helpful to the Service Provider.
The ability to preserve a user’s privacy is a principal concern within all Shibboleth products. Both the Identity Provider and Service Provider allow the deployer to set attribute filter policies to address these concerns. Within the Identity provider this policy controls which attributes will be released to which Service Providers, whilst within the Service Provider this policy controls what information will be accepted from which Identity Providers.
Users can access to IdP using their Active Directory (u-gov/IRIS/esse3) credentials, so sharing credentials is strictly forbidden on pain of attributes revocation and userid locking, until to userid revocation.
UniCA’s IdP may release to SPs the following attributes (every SP gets them totally or just a restricted set, the minimum set being composed by mail, ePTID, ePSA)
|givenName||user’s first name|
|user’s mail address|
|telephoneNumber||user’s telephone number (if exists)||see (1)|
|employeeNumber||user’s matriculation number||see (2)|
|preferredLanguage||user’s preferred or mother language|
|eduPersonEntitlement||special entitlement needed for some services||see (3)|
|eduPersonPrincipalName||scoped attribute from userID||see (4)|
|eduPersonAffiliation||user’s affiliation degree within his organization||see (5)|
|eduPersonScopedAffiliation||scoped attribute from ePA above||see (4)|
|eduPersonTargetedID||special attribute needed to manage sessions anonymously||see (6)|
|schacHomeOrganization||User’s organization scoped attribute|
|schacHomeOrganizationType||User’s organization type|
|l||(localityName) User’s place of residence||see 7|
|st||(stateOrProvinceName) User’s province of residence||see 7|
|c||(country) User’s country of residence|
(1) phone number is mandatory for some SPs (mostly libray services as Nilde)
(2) not yet implemented
(3) depending on requested services: we implement library-dedicated entitlements, Moodle-dedicated entitlements and other ones.
(4) Scoped attributes are derived from non scoped ones by adding domain part.
(5) Affiliation attribute gets 4 degrees:
|Member – Staff||teaching staff, technical staff, librarians, clericals, emeriti (the latter getting member, staff, emeritus as values instead of member, staff).|
|Member – Student||students|
|Affiliate||Visiting Professors and so on|
|Alum (not yet implemented)||alumni|
(6) ePTID is astored attribute that allows anonymous sessions and it’s created directly by Shibboleth by the means of a random string generating algorithm
(value = IdPNameQualifier!SPNameQualifier!opaqueString): e.g. we could have the following value for ePTID: https://idp.unica.it/idp/shibboleth!https://sp2-test.garr.it/shibboleth!2YNU7YCQnZw1yh9cBSm0H2e8Yjs=
(7) l and st are mandatory for accessing Moodle; l and st attributes aren’t implemented on Oracle db for foreigners students.
Starting from IdP version 3 (October 2016), some user data are stored into IdP itself, instead of being calculated each time; in detail, they are:
localEntity –> IdP entityID
peerEntity –> SP entityID
persistentId –> calculated as localEntity!peerEntity!opaquestring (e.g.: https://idp3.unica.it/idp/shibboleth!https://sp.unica.it/shibboleth! FXvsCKPDyhfP3+6K2O0XGNtRVaM=
principalName –>see table above
localId –> userid with which user logged into IdP
peerProvidedId –> userid prvided from SP (if any, otherwise, NULL)
creationDate –> record creation Unix-date (msec)
deactivationDate –> uid deactivation Unix-date (msec; in this case, NULL)