[Eril-l] OpenAthens vs campus federated SSO?

Electronic Resources in Libraries discussion list eril-l at lists.eril-l.org
Wed May 22 11:20:20 PDT 2024


Judith,

Some publishers have implemented Seamless Access. Essentially the publisher will issue a cookie token which will provide short term access in future after pairing the user with their institution. It is similar to Google CASA. Whether one has implemented OpenAthens, Shibboleth or another form of SSO, one should keep some form of OpenURL linking that will invoke an institutional SSO session. Generally, this is easier with EZproxy than SAML.

Kind regards,
Dom Benson
Research Outputs Visibility Manager, Open Research & Rights Office<https://www.brunel.ac.uk/life/library/ORR>
Library Services, Student & Academic Services Directorate
Brunel University London


From: Eril-l <eril-l-bounces at lists.eril-l.org> On Behalf Of Electronic Resources in Libraries discussion list via Eril-l
Sent: 22 May 2024 16:36
To: Electronic Resources in Libraries discussion list <eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] OpenAthens vs campus federated SSO?

I do not work closely with authentication and have had minimal experience with federated access. However, when I read "...we have had some vendors that we never worked with suddenly being able to authenticate through Canarie without either the library staff OR our IT staff doing anything at all on our end" I wondered how you would restore access if you lost it. Who would you contact? Having Open Athens seems to mean that you can contact Open Athens regarding loss of access. I would be suspicious of any access that appears miraculously and is unmonitored by the library or a service. It sounds like something hard to manage (especially if you have no other access like ezproxy set up as a backup) in a crisis or even on a regular day.

Judith

--
Judith Nagata  (she/her)
Electronic Resources & Serials Librarian
Dinand Library
College of the Holy Cross
Worcester, MA 01610
p: 508-793-2639
e: jnagata at holycross.edu<mailto:jnagata at holycross.edu>

On Wed, May 22, 2024 at 10:36 AM Electronic Resources in Libraries discussion list via Eril-l <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>> wrote:
Thanks for this. I am confused however about your first point. But first I probably need to distinguish between the "you" in "you'd still need to configure" being us library staff versus our campus IT staff.
We as in the library staff definitely do NOT have to maintain any kind of local idp instance.  And while in the past we've had to involve our IT dept to do something (hidden from me) to work with some vendors (I'm guessing that whatever they did is what you mean), we have had some vendors that we never worked with suddenly being able to authenticate through Canarie without either the library staff OR our IT staff doing anything at all on our end. In fact, I only discovered some of these were working when I went through our list of every vendor from off campus to see what they'd offer me, and surprisingly found some doing SSO that I hadn't known about (and I would be the person at my library who would know).

Your other points are definitely correct - we'll have to keep maintaining our ezproxy server for a long time as we have many smaller vendors who can barely manage IP authentication and aren't going to offer SSO any time soon.
But if we had money for OA, we could instead just switch from self-hosted to having OCLC do that work for us, which leads to a secondary question:

For the IP authenticated vendors (setting aside the SAML/federated ones), is there anything about OA that is superior to the service that OCLC offers if one uses ezproxy hosted by them?

I haven't heard any comments or complaints about the branding issue, but I'll pay more attention to that, thanks again!

Melissa Belvadi
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca>
Make an appointment: https://mbelvadi.youcanbook.me/
________________________________
From: Eril-l <eril-l-bounces at lists.eril-l.org<mailto:eril-l-bounces at lists.eril-l.org>> on behalf of Electronic Resources in Libraries discussion list via Eril-l <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
Sent: Wednesday, May 22, 2024 11:13 AM
To: eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org> <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
Subject: [Eril-l] OpenAthens vs campus federated SSO?


CAUTION: This email originated from outside of UPEI. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you are uncertain, please forward to phishing at upei.ca<mailto:phishing at upei.ca> and delete this email.


WARNING: The sender of this email could not be verified and may not match the person in the 'FROM' field. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you are uncertain, please forward to phishing at upei.ca<mailto:phishing at upei.ca> and delete this email.


Hi Melissa,

I had the same question when my library was considering the jump to federated access.   From my perspective and if I'm understanding correctly, three major issues come to mind:

Even though you'd be authenticating via your institution's Shib to Canarie you'd still need to configure and maintain a local IdP instance for authorization to every SP (vendor or publisher) with whom you want to establish a trusted connection.  OpenAthens maintains almost 500 of these IdP configurations in its resource catalogue so all you have to do is allocate a resource and the connection is established since OpenAthens serves as our IdP.  If one isn't available we simply contact EBSCO support who creates one for us.

A surprising number of publishers still don't support federated access, so for those that still use IP authentication you'd need to continue using EZproxy which means you'd have to maintain, support, and pay for dual authentication systems.  OpenAthens is a turnkey solution since IP-based and federated access are both supported in OpenAthens.

This may be deemed a lesser issue, but typically Shib is maintained by your campus' IT shop, so if you're piggybacking on this you'd have to use whatever branding they have in place.  You wouldn't be able to maintain consistent library branding and imagery across your access points, which is important to our patron's user experience.

I hope this helps clarify.  Please feel free to contact me off-list if you'd like more detail.  Best of luck!

Regards,
John

__________________________________
John Felts
Head of Information Technology and Collections
University Libraries / Coastal Carolina University
376 University Boulevard
Conway SC 29526
843-349-5040


------------------------------

Message: 4
Date: Tue, 21 May 2024 17:22:08 +0000
From: Electronic Resources in Libraries discussion list
        <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
To: ERIL-L listserv <eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>>
Subject: [Eril-l] OpenAthens vs campus federated SSO?
Message-ID:
        <mailman.597.1716312135.1238482.eril-l-eril-l.org at lists.eril-l.org<mailto:mailman.597.1716312135.1238482.eril-l-eril-l.org at lists.eril-l.org>>
Content-Type: text/plain; charset="utf-8"

Hi, all.
We use ezproxy generally (self-hosted) but as our campus implemented first Shibboleth and is now moving this summer to Azure, and associated with the big Canadian SAML federation Canarie, we've been finding more and more major library content providers supporting that kind of off-campus "login via your institution", some of which didn't even contact us to configure it, but just got up and running for us from the Canarie service.

In light of that trend, I'm wondering what advantages there still are to using Open Athens (which I've been wanting to get for years but didn't have the budget or systems support for).

If any of you have Open Athens and your campus also provides SSO through that kind of SAML service, can you please tell me what OA is doing for you that makes it still worth the cost?

Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca><mailto:mbelvadi at upei.ca>  902-566-0581 ORCID iD: 0000-0002-4433-0189 my public calendar<https://outlook.office365.com/owa/calendar/0fbab27c909e4493be65313bd66d66b6@upei.ca/5fa60af92c6d451c9ddf90c0bb11e00f15552192987609852692/calendar.html>
Make an appointment<https://mbelvadi.youcanbook.me/> via YouCanBookMe My pronouns are ????/???????
My emails are sent during the hours that I work and I understand that you will respond during the hours that you work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20240521/41cbb8ce/attachment-0001.htm>

******************************
_______________________________________________
Eril-l mailing list
Eril-l at lists.eril-l.org<mailto:Eril-l at lists.eril-l.org>
http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org
_______________________________________________
Eril-l mailing list
Eril-l at lists.eril-l.org<mailto:Eril-l at lists.eril-l.org>
http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20240522/1cf78f5b/attachment.htm>


More information about the Eril-l mailing list