Phase 1 -- Understanding the Problem
Use Cases and Technology Recommendations
Focus: InC-Library was formed by a group of institutions willing to examine issues relating to access to protected libraray resources. The focus was to improve access to licensed electronic resources, identity user scenarios, document business practice and technology issues, and test proposed solutions.
The collaboration developed use cases for deploying Shibboleth, a single sign-on and federating software, for accessing protected library resources, with a particular interest in accommodating various user groups -- students, faculty and staff, walk-in library users -- as well as methods for providing remote access for users with university credentials.
Technologies: The collaboration explored federated access to protected library resources, using Shibboleth; as well as using a Shibboleth-enabled rewrite proxy (EZProxy and WebVPN).
- Shibboleth is attractive because it leverages the university's existing identity database, protects user privacy, and provides fine-grained access control to protected content, depending on the vendor's license with the university. Shibboleth also provides single sign-on access to internal campus and library resources.
- Libraries are concerned, however, about the differences in user experiences for on-campus users, that walk-in users don't have SSO accounts, and how to integrate any existing library patron databases.
- EZProxy provides a solution for off-campus access to resources and is widely used for remote access. One benefit of using EZProxy is the ability to integrate Shibboleth and single sign-on authentication.
- WebVPN is being used by UC-San Diego as a rewrite proxy, but this technology is not as widely used as EZProxy and is more expensive.
Benefits: The Shibboleth/EZProxy (SSO-enabled rewrite proxy) solution offers benefits to
- users -- single userID and password.
- librarians -- reduced cost and support, with far less IP and proxy maintenance. Also, permits roll-out of addtional Shib-enabled resources while keeping the user experience consistent.
- library administration -- providing central usage statistics.
- vendors -- no maintenance of password information (since Shib leverages the university's identity management system), authoritative validation, and quick breach investigation.
For a comprehensive overview of issues, scenarios and proposed solutions, please see this summary presentation about the collaborative's work [PDF].
Result: The pilot enumerated basic use cases, identified barriers to library adoption, tested the feasibility of various solutions, and tested the hybrid solution on different campuses with several vendors.
- Users moving between two campuses (in one university system) -- Cornell
- Serving off-campus library users -- Cornell
- Implementing EZProxy and using it with Shibboleth -- University of California-San Diego
- Migrating to EZProxy and integrating with Shibboleth (moving away from IP-based authentication) -- University of Chicago
- Accommodating Walk-Up Users with Location-Based Authentication -- University of Washington
- Testing EZProxy workflow with EBSCO interface and Shibboleth SessionInitiators -- University of Maryland
- Campus experiences with EZProxy
A list of presentations and abstracts, with links to the presentation files can be found here.
What is Shibboleth
Shibboleth is an open-source, standards-based single-sign on technology. Shibboleth provides the ability to access both campus and external applications using the local identity management system. The institution provides an anonymous unique identifier to the resource, ensuring user privacy, while permitting access to resources based on internally-held criteria. Maintaining user authentication information at the institution allows increased reliability for vendors by ensuring current user affiliation with the institution, and reduces the need for password maintenance by the vendor, and need for multiple passwords by the user. For more information on Shibboleth, please see the Shibboleth web page at http://shibboleth.internet2.edu/
Resource/Service Providers active in other federations: This is a good place to start when looking for vendors that already run Shibboleth.
Joining a Federation
Federations provide a way for member institutions and vendors to define a standard for how Shibboleth authentication information will be transferred between member institutions. This saves time in the vendor negotiation process, as all attributes are agreed upon by the federation members.
- InCommon: http://www.incommonfederation.org/
- JISC: http://www.jisc.ac.uk/federation
- Australian Access Federation: http://www.aaf.edu.au
- Canadian Federation: http://wiki.its.queensu.ca/display/heidm/Canadian+Identity+Management+Federation+%28CIMF%29
Conference Call Minutes
If you are interested in the background of InC-Library, you are welcome to peruse the Conference Call Minutes.