[Eril-l] Microsoft Azure & Open Athens
Electronic Resources in Libraries discussion list
eril-l at lists.eril-l.org
Thu May 25 15:54:34 PDT 2023
Hi Dana
I strongly recommend that you keep OpenAthens. To explain why I recommend keeping OpenAthens, I will try to describe SAML-based access and the roles of Azure and OpenAthens. I’ve attached slides from a presentation Adam Traub and I gave back in 2015 that illustrate some of the SAML authentication concepts and also depict some of the complications you’ll face if you stop using OpenAthens but continue to use SAML directly between your Azure and the various library content vendors.
The tl;dr version: OpenAthens does all the work of creating and maintaining the connectors to hundreds of library content vendors. Without a service like OpenAthens, you will be faced with trying to create connections to each vendor, and usually, it has to be done by campus IT. It is a LOT of work, yields inconsistent results, and you will still need a proxy service.
The long-winded explanation:
It is useful to think about Authentication and Authorization as separate steps in granting access. A user must be able to confirm their identity (authentication) to an Identity Provider (IdP) usually by entering a valid username/password combo. Once a user’s identity is confirmed by the identity provider, it sends some data about the user (attributes such as “this person is a valid member of the university, is a student, and so on) to the service provider (SP) Based on the supplied user attributes, the service provider determines whether the user qualifies for access (authorization).
For example, here is how an OpenAthens supported login might work at UCF:
A user clicks on a LibGuide link to JSTOR. The link includes the OpenAthens redirector, which includes a string that identifies the university (UCF). OpenAthens sees the incoming request, sees that the desired service is for JSTOR, and sees the identifier for UCF. We’ve already set up OpenAthens in advance to know which resources to allow (including JSTOR) and how to connect to UCF’s Identity Provider (we use Azure). OpenAthens directs the user to UCF’s identity provider, Azure. Azure sees the incoming request for authentication, shows the login screen, which our users are very familiar with. If the user enters a valid username/password pair, then Azure sends the user attributes we decided are OK to send to OpenAthens. OpenAthens then creates a URL to connect to the service, JSTOR. JSTOR and OpenAthens have worked together to create a connector URL, and have systems in place to do a SAML handshake and pass along the user attributes needed to determine whether to grant access.
Slides 2 through 7 offer a simplified, personified depiction the authentication and authorization steps. The slides mention Shibboleth, but the same steps apply to OpenAthens (and all other SAML-based systems). The slides work best in presentation mode so you can see the animation.
At the time Adam and I gave the presentation, UCF was attempting to use Shibboleth for SAML-based access. I was very exited about the prospect, but enabling Shibboleth access was complicated. It required a dialog between campus IT and each library vendor to work out the connection details. In addition, the URLs we’d need to use for Shibboleth enabled sites were complex (WAYFless URLs are a mess!). AND not all vendors are SAML compliant, meaning we still would have to run EZproxy, and we’d have to create different starting URL types for Shibboleth v EZproxy sites. The beauty of OpenAthens is that your university need only set up the connection between *they* work out the connection details between OpenAthens and the hundreds of vendor sites.
If we did not have OpenAthens, SAML based authentication would not be possible. And, now that we do have it, I would not want to go back to EZproxy. It has been a boon for flexible, easy to manage access, and gives good stats to boot.
I hope all this helps.
All the best,
Atheana
Athena Hoeppner (she/her/hers)
Discovery Services Librarian | University Librarian
University of Central Florida | athena at ucf.edu<mailto:athena at ucf.edu>
From: Eril-l <eril-l-bounces at lists.eril-l.org> On Behalf Of Electronic Resources in Libraries discussion list via Eril-l
Sent: Thursday, May 25, 2023 4:04 PM
To: Electronic Resources in Libraries discussion list <eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] Microsoft Azure & Open Athens
We have opted for Azure with hosted EZproxy as a less expensive option. Azure provides the SSO for those enabled databases and EZproxy for those databases that don’t have direct SSO. There may be other benefits to OpenAthens I am unaware of though, probably some usage stats or metrics, and I believe it has a managed proxy built-in.
Roen
From: Eril-l <eril-l-bounces at lists.eril-l.org<mailto:eril-l-bounces at lists.eril-l.org>> On Behalf Of Electronic Resources in Libraries discussion list via Eril-l
Sent: Thursday, May 25, 2023 12:47 PM
To: 'eril-l at lists.eril-l.org' <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
Subject: [Eril-l] Microsoft Azure & Open Athens
⚠ CAUTION: Sender is not from OC. Avoid clicking links or opening attachments. Never provide personal information, passwords, or make purchases.
Hello,
I’m a new subscriber and I apologize in advance if this has been answered multiple times through the years, but when I try to search the archives, I keep receiving an error message.
We currently use Open Athens for our database authentication, and our university uses Microsoft Azure for email, intranet, and LMS sign in. When we set up Open Athens, our IT department connected Azure’s Active Directory with Open Athens, so patrons have an SSO experience. So when patrons try to access a library database, they see Microsoft’s sign-in. Also, if patrons sign into to the LMS, or the university’s portal before accessing the library website, they’re not prompted to authenticate again for database access.
This may be an obvious question, but we’re trying to determine if we still need Open Athens or if Microsoft Azure provides the only authentication piece we need. From what I’ve read, Azure authenticates the user, but Open Athens is what gives the authenticated user access to the licensed content, so I think OA is needed. Like a lot of other schools, our budget is getting tighter and Open Athens is not inexpensive. Since administering our databases is only part of my job (small library, many hats), I don’t know all of the tech aspects in depth, so your input and advice is appreciated.
Dana
Dana Mastroianni
Head of Public Services | Jennie King Mellon Library<http://library.chatham.edu/>
Office: 412-365-1602
Chatham University|Woodland Rd. Pittsburgh, 15232
[Intsa]<https://www.instagram.com/jkmlibrary/>[FB]<https://www.facebook.com/JKMLibrary/>[Social, Circles, neon, Spotify, line Icon]<https://open.spotify.com/user/fuwu26wdwqq6ums8xs4utraq5>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20230525/cbc097b9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1442 bytes
Desc: image001.png
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20230525/cbc097b9/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 808 bytes
Desc: image002.png
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20230525/cbc097b9/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 968 bytes
Desc: image003.png
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20230525/cbc097b9/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2015 11 LITA DrShibblove.pptx
Type: application/vnd.openxmlformats-officedocument.presentationml.presentation
Size: 9336554 bytes
Desc: 2015 11 LITA DrShibblove.pptx
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20230525/cbc097b9/attachment-0001.pptx>
More information about the Eril-l
mailing list