[Eril-l] Proquest EbookCentral, single signon, ezproxy - question about weird problem

Fri Oct 5 05:56:26 PDT 2018

Hi, all,

I don’t have great answers, but I have a couple of data points that might be relevant?

SSO configuration:

SSO (at least Shibboleth) can hand out a static identifier – the same one for the same user every time – or a random one, different every login.

When we (briefly) used Shib for PQEC, we were using a static one, and it creates an account. The user’s name might not be attached, but the account collecting all their individual activity together exists and persists.

It sounds almost like all of on-campus is using the same account, created by a static identifier that the SSO sends out for any on-campus connection???

So I guess my question is – is your SSO sending out static identifiers or random ones? (I don’t know what the fix would be in either case, but I suspect the difference matters.)

PQEC configuration:

There’s a setting that PQEC can enable – “anonymous access” – for on-campus use. It allows patrons to read the book online without having to log in at all. I think there’s a separate setting to also allow them to download chapter-level PDFs without login, except for non-linear licenses (where a download can trigger a purchase – so probably ATO licenses, too). Full-text DRM’d downloads also still require a login.

The catch, though, is that you won’t find it in the LibCentral settings yet; you have to pester your reps to do it for you, and back when we went through this a year or two ago, not all of the reps knew these settings even existed – or knew and assumed we already had them, and wondered what the heck we were complaining about. Our reps currently say PQ intends to make these options “more visible” through LibCentral in the future.

I don’t know if PQ can do this with an SSO configuration; we changed ours to IP-authentication before we started further messing around with the login settings.

I don’t really know if any of this is directly relevant or helpful, but I hope something among it helps.

Heather Shipman
E-book Acquisitions and Management Specialist
110 Olin Library, Cornell University
Heather.shipman at cornell.edu<mailto:Heather.shipman at cornell.edu>

From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Melissa Belvadi
Sent: Monday, October 01, 2018 10:14 AM
To: Fox, Linda J. <FoxLJ at umkc.edu>
Cc: eril-l <eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] Proquest EbookCentral, single signon, ezproxy - question about weird problem

Hi, all, further update for anyone experiencing a similar problem with Proquest EbookCentral with Single Sign On.
I have both Proquest and Ezproxy support looking at this from both sides.
Two things I've learned so far:

1. The EbookCentral stanza in ezproxy config absolutely must come above any A, E, or I directives, which is unfortunate for those of us who are trying to keep a consistent layout to our configs with the stanzas in alpha order below the rest of the config settings.

2. It is apparently possible for Proquest to implement SSO incompletely so that it's partly SSO and partly patron login, which makes for a big mess that is only noticed if multiple patrons happen to notice they're getting the same hashed-username as other patrons. The overwhelming majority of patrons would likely never notice this because they aren't using any of the customization or download features that would make it apparent.

Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca>  <http://www.google-analytics.com/collect?v=1&tid=UA-5663860-1&cid=109230&t=event&ec=email&ea=open&el=mbelvadi%40upei.ca&cs=newsletter&cm=email&cn=PLP>  902-566-0581
my public calendar<http://www.google.com/calendar/embed?src=mbelvadi%40upei.ca&ctz=America/Halifax&mode=week>
Make an appointment<https://mbelvadi.youcanbook.me/>

On Fri, Sep 28, 2018 at 5:26 PM, Fox, Linda J. <FoxLJ at umkc.edu<mailto:FoxLJ at umkc.edu>> wrote:
Probably.  I don’t have much to do with that end of things.  My understanding of how EZproxy works is rudimentary.

When you test with the unproxied URLs, are you being prompted to log in when you link to Ebook Central?  For us, it doesn’t make any difference whether we use proxied or unproxied URLs.  The behavior is the same.  Once you are automatically authenticated by EZproxy, you end up using that same hashed identity.

I did speak with the person who manages our proxy server.  He said that the only way to “fix” the problem and still use EZproxy is to require on campus users to log in just like remote users—for everything, not just Ebook Central.  That is something that we are not prepared to do at this time.  (He did mention one alternative: to set up a second proxy server just for Ebook Central.  The cost in dollars and in staff time to manage it means this is a non-starter.)

Linad

From: Melissa Belvadi <mbelvadi at upei.ca<mailto:mbelvadi at upei.ca>>
Sent: Friday, September 28, 2018 1:54 PM
To: Fox, Linda J. <FoxLJ at umkc.edu<mailto:FoxLJ at umkc.edu>>
Cc: eril-l <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
Subject: Re: [Eril-l] Proquest EbookCentral, single signon, ezproxy - question about weird problem

I'm guessing you are using the A directive in ezproxy to keep on-campus users proxied but without prompting?
We had some of that on, but turned it off for our Proquest EbookCentral stanza as part of testing this, and it didn't seem to have any effect.
Also we see the problem when we carefully text with completely unproxied URLs, so the proxy server stanza is playing no role at all, at least not in the first clicks - we have no idea what Proquest is saying/getting from our proxy server when they do their SSO thing.

Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca>  <http://www.google-analytics.com/collect?v=1&tid=UA-5663860-1&cid=109230&t=event&ec=email&ea=open&el=mbelvadi%40upei.ca&cs=newsletter&cm=email&cn=PLP>  902-566-0581
my public calendar<http://www.google.com/calendar/embed?src=mbelvadi%40upei.ca&ctz=America/Halifax&mode=week>
Make an appointment<https://mbelvadi.youcanbook.me/>

On Fri, Sep 28, 2018 at 3:43 PM, Fox, Linda J. <FoxLJ at umkc.edu<mailto:FoxLJ at umkc.edu>> wrote:
Hi, Melissa,

We’re seeing a problem that sounds remarkably similar to what you describe.  We’ve harrowed it down to a specific circumstance.  Even though we don’t have to proxy the links to Ebook Central, we choose to do so for the sake of consistency.  We can reliably trigger this behavior if we are logged into our campus network.  We have configured EZproxy not to prompt for credentials when users are on the campus network because they have already authenticated at that point.  So if I follow a proxied link to another database, say Academic Search Complete, I’m automatically “logged in” to the proxy server.  If I then follow a link to Ebook Central, the proxy server “knows” that I’ve already authenticated, and doesn’t prompt me for my username and password.  It instead passes along some sort of generic username—and like you it always seems to be the same one.  If I actually log out of the proxy server and then link to the same ebook, I am prompted to log in, and the username is different.

We have been working with ProQuest on this for months, with no real progress.  I was just thinking about touching base with our EZproxy expert to where the ticket is.  If I learn anything more, I’ll pass it along.

Linda

Linda Fox
Senior Library Information Specialist
UMKC University Libraries
Miller Nichols Library Room 304<https://maps.google.com/?q=Room+304+%0D%0A800+E+51&entry=gmail&source=g>
800 E 51<https://maps.google.com/?q=800+E+51&entry=gmail&source=g>st Street
Kansas City, MO  64110
https://library.umkc.edu<https://library.umkc.edu/>
(816) 235-5290
fax: (816) 235-5531
foxlj at umkc.edu<mailto:foxlj at umkc.edu>

From: Eril-l <eril-l-bounces at lists.eril-l.org<mailto:eril-l-bounces at lists.eril-l.org>> On Behalf Of Melissa Belvadi
Sent: Friday, September 28, 2018 10:18 AM
To: eril-l <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
Subject: [Eril-l] Proquest EbookCentral, single signon, ezproxy - question about weird problem

Hi, I'm working with Proquest support on this but so far we're confused and I'm hoping someone else ran into this and found a solution.

This would only apply if you have Proquest Ebook Central configured to use their Single SignOn service.  That enables users on campus to get from our ezproxy server (without being bothered to login) a hashed identity code so they can use all of the interface features of someone with an account in the platform, without actually making one and revealing their identity.

What Proquest apparently does is talk to our proxy server, even when the link is not proxied and the user is on campus, to get that hashed identity code. The user is not prompted for a username/password in this, so I'm not sure how ezproxy could even be doing this.

We're finding that multiple users are getting the same hashed identity. The way this showed up is when one staff member used up most of the allocation of pages that could be downloaded, and another staff member on a different computer accessed the same book, they saw the allocation already used up.  They brought it to me, where I verified on my own computer in three different web browsers the same problem.  You can see the problem by looking in settings-profile and note the same hashed-garbage username in all of the affected sessions throughout all those different computers and browsers.

Have any of you seen this before and if so, did you find a solution short of abandoning the SSO service from Proquest?

Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca> 902-566-0581
my public calendar<http://www.google.com/calendar/embed?src=mbelvadi%40upei.ca&ctz=America/Halifax&mode=week>
Make an appointment<https://mbelvadi.youcanbook.me/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20181005/a5f49e97/attachment-0001.html>