Nice explanation of iTunes U authentication
I hope it helps others that may be stuck...it's in two parts, here it is:
iTunes U credentials are in the form of MACE URNs united to a "role". More on roles in a bit ...
Formally speaking, a URN is a URI and similar to a URL (a URL is also a URI). The main difference between a URN and a URL is that a URN "names" something within the web whereas a "URL" locates it. But the distinction that used to exist between a URL and URN is now a lot fuzzier than it once was. After all, URLs often do "name" things today ... and URNs often do contain the notion of "location" within them. But, for simplicity, think of a URN as a fancy way to "name something" on the web without necessarily locating it anywhere in particular. For example, you could have "color:red" ... or "suit:spades" ... these "names" wouldn't exist at any website ... they'd just be a common way of naming "things" within the web.
Technically speaking, a URN does not have to start with "urn" just as a URL does not have to start "url" ... a URN could start out like this: "isbn:" or "color:" just as a URL can start out "http:" or "ftp:". However, it's common to start out URNs with "urn:" ... that way, there's no confusion. After the "urn:" part, URNs follow the same rules for construction as any URI would. There's a whole RFC devoted to URI and URN formation.
MACE is the "middleware for education" initiative and is part of the Internet2 project. MACE has formally claimed a subset of the URN namespace. Again, there is an formal RFC that explains/refines MACE's URN subset rules. Apple, in turn, has claimed a subset of the MACE URN namespace ... specifically for use with iTunes U.
So you basically have this:
All possible URNs ---contains---> all MACE URNs ---contains---> all iTunes U URNs
This "containment" is shown in the form of every iTunes U credential. They all start out this way:
urn:mace:itunesu.com
In order to distinguish things you name at Connecticut College from staff I name at UIC, Apple adds a site subset to each URN:
urn:mace:itunesu.com:sites:conncoll.edu
urn:mace:itunesu.com:sites:uic.edu
Basically speaking, the powers that be outside Apple own this part of all iTunes U URNs:
urn:mace:itunesu.com
And Apple owns this part:
sites:conncoll.edu
sites:uic.edu
We own everything that goes after.
This "ownership" prevents any of us from naming things in such a way that we create any namespace conflicts. Anything after our site name is stuff that we ourselves own ... we can name things however we want (so long as we don't introduce any local namespace conflicts). What you do with your part of the URN namespace is only limited by your imagination.
So you could create URNs that look like this:
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101:section-2
urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101:section-2:seat- 24
"In theory" you do not need the "urn:mace:itunesu.com:sites:conncoll.edu" part of the URN ... but if you omit it, you run the risk of a namespace conflict with some other site.
Also, as I'm sure you've noticed by now, the parts of the URN are separated by colons.
Okay, now onto roles ...
In iTunes U, a "credential" is the sum of a "role" and a "context". The context is given by the URN and the "role" is what a user of iTunes U assumes within that context. So you could have:
Instructor@urn:mace:itunesu.com:sites:conncoll.edu
-- an "instructor" within "Connecticut College"
Student@urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts:english:101
-- a "student" within "English 101 at Connecticut College"
Dean@urn:mace:itunesu.com:sites:conncoll.edu:liberal-arts
-- the "dean" of "Liberal Arts at Connecticut College"
Again, "roles' are anything you can imagine. Apple does predefine some roles though ... there is the "Administrator" role, the "All" role, the "Authenticated" role, and the "Unauthenticated" role. Other than those roles, you can have whatever other roles you like. Roles are what makes sense to you and how you want Connecticut College's iTunes U access to work.
A "permission" in iTunes U is the sume of a credential plus an access level. Access levels are only defined by Apple. The three most commonly used access levels are "NO ACCESS", "DOWNLOAD", and "EDIT". When you give an access level to a credential, you are saying that someone holding that credential has that access (usually within the context described within the credential). For example, if you give Instructor@urn:mace:itunesu.com:sites:conncoll.edu "EDIT" access within a specific course, then any person holding the that credential will be able to edit the course.
So, in summary, we've got this:
An iTunes U Permission = Credential + Access Level
Credential = Role + Context
A "Context" in iTunes U is given in the form of a MACE URN
A "MACE URN" is basically a name you want to assign some entity (a class, college, etc) at your school.
Intel XServe, Mac OS X (10.6.2)