[Eril-l] OpenAthens vs campus federated SSO?

Electronic Resources in Libraries discussion list eril-l at lists.eril-l.org
Thu May 23 12:58:37 PDT 2024 

This is a bit of an aside to the issue at hand, but your users are currently able to connect to Canarie because they've likely started their research journey from the open web and landed on a vendor's site that has the Canarie federation enabled.  The user is using that vendor's IdP discovery service, which passes the user through your local SSO environment to authenticate.  In my opinion, this is the most important benefit of federated access; it establishes authentication at the point of need as opposed to forcing users to either start from or return to the library's portal to obtain the proxy-prefixed URL necessary for authentication.  Federated access removes so much friction from the authentication and authorization process.  

But let me see if I can do a better job of explaining my first point.  Aside from your local IdP config used for authentication, each SP requires an authorization component (think of it as similar to a stanza in EZproxy parlance) that has very specific configuration info that's used to establish a trusted connection.  Each SP has unique and typically rather complicated specs, and someone (likely your ITS staff) would need to be in contact with every vendor/publisher to configure, maintain, and support hundreds of such settings.  These settings are prepopulated in OpenAthens, and if there's an access issue that we isolate to OpenAthens, I simply call them to troubleshoot.  Personally, I'd much rather keep responsibility for supporting access to library resources in the library than relying on our campus IT to provide support.  
 
To your question about IP authentication, to my knowledge there's nothing superior about OpenAthens compared to EZproxy.  The obvious benefit is that both federated and IP-based access are supported in OpenAthens.  I hope this is helpful!

__________________________________
John Felts
Head of Information Technology and Collections
University Libraries / Coastal Carolina University
376 University Boulevard
Conway SC 29526
843-349-5040


------------------------------

Message: 2
Date: Wed, 22 May 2024 14:32:28 +0000
From: Electronic Resources in Libraries discussion list
	<eril-l at lists.eril-l.org>
To: "eril-l at lists.eril-l.org" <eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] OpenAthens vs campus federated SSO?
Message-ID:
	<mailman.666.1716388409.1238484.eril-l-eril-l.org at lists.eril-l.org>
Content-Type: text/plain; charset="us-ascii"

Thanks for this. I am confused however about your first point. But first I probably need to distinguish between the "you" in "you'd still need to configure" being us library staff versus our campus IT staff.
We as in the library staff definitely do NOT have to maintain any kind of local idp instance.  And while in the past we've had to involve our IT dept to do something (hidden from me) to work with some vendors (I'm guessing that whatever they did is what you mean), we have had some vendors that we never worked with suddenly being able to authenticate through Canarie without either the library staff OR our IT staff doing anything at all on our end. In fact, I only discovered some of these were working when I went through our list of every vendor from off campus to see what they'd offer me, and surprisingly found some doing SSO that I hadn't known about (and I would be the person at my library who would know).

Your other points are definitely correct - we'll have to keep maintaining our ezproxy server for a long time as we have many smaller vendors who can barely manage IP authentication and aren't going to offer SSO any time soon.
But if we had money for OA, we could instead just switch from self-hosted to having OCLC do that work for us, which leads to a secondary question:

For the IP authenticated vendors (setting aside the SAML/federated ones), is there anything about OA that is superior to the service that OCLC offers if one uses ezproxy hosted by them?

I haven't heard any comments or complaints about the branding issue, but I'll pay more attention to that, thanks again!

Melissa Belvadi
mbelvadi at upei.ca
Make an appointment: https://mbelvadi.youcanbook.me/
________________________________
From: Eril-l <eril-l-bounces at lists.eril-l.org> on behalf of Electronic Resources in Libraries discussion list via Eril-l <eril-l at lists.eril-l.org>
Sent: Wednesday, May 22, 2024 11:13 AM
To: eril-l at lists.eril-l.org <eril-l at lists.eril-l.org>
Subject: [Eril-l] OpenAthens vs campus federated SSO?


CAUTION: This email originated from outside of UPEI. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you are uncertain, please forward to phishing at upei.ca and delete this email.


WARNING: The sender of this email could not be verified and may not match the person in the 'FROM' field. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you are uncertain, please forward to phishing at upei.ca and delete this email.


Hi Melissa,

I had the same question when my library was considering the jump to federated access.   From my perspective and if I'm understanding correctly, three major issues come to mind:

Even though you'd be authenticating via your institution's Shib to Canarie you'd still need to configure and maintain a local IdP instance for authorization to every SP (vendor or publisher) with whom you want to establish a trusted connection.  OpenAthens maintains almost 500 of these IdP configurations in its resource catalogue so all you have to do is allocate a resource and the connection is established since OpenAthens serves as our IdP.  If one isn't available we simply contact EBSCO support who creates one for us.

A surprising number of publishers still don't support federated access, so for those that still use IP authentication you'd need to continue using EZproxy which means you'd have to maintain, support, and pay for dual authentication systems.  OpenAthens is a turnkey solution since IP-based and federated access are both supported in OpenAthens.

This may be deemed a lesser issue, but typically Shib is maintained by your campus' IT shop, so if you're piggybacking on this you'd have to use whatever branding they have in place.  You wouldn't be able to maintain consistent library branding and imagery across your access points, which is important to our patron's user experience.

I hope this helps clarify.  Please feel free to contact me off-list if you'd like more detail.  Best of luck!

Regards,
John

__________________________________
John Felts
Head of Information Technology and Collections
University Libraries / Coastal Carolina University
376 University Boulevard
Conway SC 29526
843-349-5040


******************

More information about the Eril-l mailing list