[Eril-l] Switching from EZ proxy to Shibboleth/Open Athens/SAML Where do I begin?

Heather Shipman heather.shipman at cornell.edu
Fri Nov 3 06:27:26 PDT 2017

Hi, all,

I’m also interested in Kathleen’s question about opaque identifiers. Really, really, really interested.

We’ve discovered that our Shibboleth (configured by central campus IT, many years ago and without input from the library) is sending vendors personally identifying information, including to InCommons, which we think means any platform using InCommons to authenticate via Shibboleth would get PI info. We’ve already caught one platform associating usernames with usage data, though I don’t think they realized that the SSO “usernames” were identifying.

We intend to seal this privacy hole in our Shib, but since it’s been around so long, we expect there to be a lot of cleanup to do.

I’d like to hear how other institutions have solved this problem, or related ones – particularly as more and more organizations are talking about how great it would be to switch from proxy to Shibboleth. This privacy leak really worries us. And I’d love to hear from platforms who support opaque identifiers on how this works on their side, so we can work the problem from both ends.

On a related note – I’ve heard a lot of people respond to questions about privacy with something about great security. (I don’t mean to point a finger at you, Jean – this comes up in almost every privacy conversation I’ve ever had with people outside our core e-resources unit, even some of our own higher-ups.) I think we need to push back against the common conflation of security with privacy – they’re not the same. It’s easy to securely send private information; that’s why security exists. It’s the existence of that private information, and it being collected and sent to begin with, that we need to hammer more on. “We have good security” is not a sufficient privacy policy.

Heather Shipman
E-book Acquisitions and Management Specialist
110 Olin Library, Cornell University
Heather.shipman at cornell.edu<mailto:Heather.shipman at cornell.edu>

From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Sibley, Jean J
Sent: Friday, November 03, 2017 8:12 AM
To: Kathleen Folger <kfolger at umich.edu>
Cc: Dodson Donna <ddodson at mountida.edu>; eril-l at lists.eril-l.org
Subject: Re: [Eril-l] Switching from EZ proxy to Shibboleth/Open Athens/SAML Where do I begin?

Hi Kathleen, Our Shibboleth authentication is a single sign-on (username and password) through our CAS (Central Authentication Service). This is a secure service. I’m not sure which identifier each vendor supports. Each of them was willing to work with us. Sounds like you will need to get your IT department involved. – Good luck! Jean

From: Kathleen Folger [mailto:kfolger at umich.edu]
Sent: Thursday, November 2, 2017 6:14 PM
To: Sibley, Jean J <bjsibley at wm.edu<mailto:bjsibley at wm.edu>>
Cc: Dodson Donna <ddodson at mountida.edu<mailto:ddodson at mountida.edu>>; eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] Switching from EZ proxy to Shibboleth/Open Athens/SAML Where do I begin?

Hi Jean,

Were you able to set up Shibboleth authentication using an opaque identifier so there's no release of personally identifiable information? If so, do you know which identifier each of the vendors you mentioned supports?

We've run into an issue recently with our campus IT department not supporting the opaque identifier that another vendor said was the only one they supported. I'm trying to get a sense of what identifiers are most commonly supported by the library vendor community to make sure our campus IT department will support it.  Thanks!


Kathleen M. Folger, Electronic Resources Officer
University of Michigan Library
312 Hatcher North
Ann Arbor, MI 48109-1190
V:(734) 764-9375
F:(734) 764-0259
kfolger at umich.edu<mailto:kfolger at umich.edu>

My pronouns are she, her, hers – what are yours?

On Thu, Nov 2, 2017 at 3:09 PM, Sibley, Jean J <bjsibley at wm.edu<mailto:bjsibley at wm.edu>> wrote:
Hi Donna, We recently switched from EZProxy to Shibboleth for over 200 databases from our major vendors – Ebsco, Gale, and  ProQuest.

I started out working with our IT department – but once you learn what parameters are needed it’s pretty straightforward. Some vendors let you do it yourself through the vendor’s administrator module. For some, you can email support and fill out a form. Basically, you need to know your institution’s IDP entity ID, federation, and scope.

Also, the URLs for your resources need to be changed to remove your proxy prefix and/or sometimes append shibboleth and an account ID. I learned the hard way on this and had to re-do over a hundred URLs.

In the long run it has greatly improved our off-campus access to resources. And no more Oops! errors.  So when we go to buy a new product, one of the first things I ask is if they can be Shibboleth-authenticated – since many resources don’t play nice with EZProxy – and the stanzas change all the time.

Good luck! – Jean

Jean Sibley
Serials & Electronic Resources Librarian
William & Mary Libraries | The College of William and Mary
P: 757.221.3103<tel:(757)%20221-3103> | E: bjsibley at wm.edu<mailto:bjsibley at wm.edu>

From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org<mailto:eril-l-bounces at lists.eril-l.org>] On Behalf Of Dodson Donna
Sent: Thursday, November 2, 2017 2:16 PM
To: eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>
Subject: [Eril-l] Switching from EZ proxy to Shibboleth/Open Athens/SAML Where do I begin?


I am in the process of researching authentication methods for our students and faculty who use our databases and ejournals on and off campus. We currently have a library consortium managed EZ Proxy but our director would like to switch to something in-house that we could manage. We fear that the EZ proxy is often serving as a barrier to the information resources we strive to make accessible to our community. Has anyone made the transition from EZ Proxy to Shibboleth/Open Athens/SAML? I would love to hear more about the process and the details- what are the new products we need to buy? Do you have preferred vendors for these new products? Did you have to work with your IT department or is it something you did yourself? Any and all comments are welcome.

Thanks in Advance!

-Donna Dodson

Donna Dodson
Electronic Resources Coordinator
Department of Instructional Technology and Learning Resources
Wadsworth Library

Mount Ida College
777 Dedham Street
Newton, MA  02459
T (617) 928-4010<tel:(617)%20928-4010>
E ddodson at mountida.edu<mailto:ddodson at mountida.edu>

Eril-l mailing list
Eril-l at lists.eril-l.org<mailto:Eril-l at lists.eril-l.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20171103/582a389c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2094 bytes
Desc: image001.jpg
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20171103/582a389c/attachment.jpg>

More information about the Eril-l mailing list