<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Gotham Narrow";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Dana<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I strongly recommend that you
<b>keep</b> OpenAthens. To explain <i>why</i> I recommend keeping OpenAthens, I will try to describe SAML-based access and the roles of Azure and OpenAthens. I’ve attached slides from a presentation Adam Traub and I gave back in 2015 that illustrate some
of the SAML authentication concepts and also depict some of the complications you’ll face if you stop using OpenAthens but continue to use SAML directly between your Azure and the various library content vendors.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="mso-fareast-language:EN-US">The tl;dr version:</span></b><span style="mso-fareast-language:EN-US"> OpenAthens does all the work of creating and maintaining the connectors to hundreds of library content vendors. Without
a service like OpenAthens, you will be faced with trying to create connections to each vendor, and usually, it has to be done by campus IT. It is a LOT of work, yields inconsistent results, and you will still need a proxy service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="mso-fareast-language:EN-US">The long-winded explanation:<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">It is useful to think about Authentication and Authorization as separate steps in granting access. A user must be able to confirm their identity (authentication) to an Identity Provider (IdP) usually
by entering a valid username/password combo. Once a user’s identity is confirmed by the identity provider, it sends some data about the user (attributes such as “this person is a valid member of the university, is a student, and so on) to the service provider
(SP) Based on the supplied user attributes, the service provider determines whether the user qualifies for access (authorization). <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">For example, here is how an OpenAthens supported login might work at UCF:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">A user clicks on a LibGuide link to JSTOR. The link includes the OpenAthens redirector, which includes a string that identifies the university (UCF). OpenAthens sees the incoming request, sees
that the desired service is for JSTOR, and sees the identifier for UCF. We’ve already set up OpenAthens in advance to know which resources to allow (including JSTOR) and how to connect to UCF’s Identity Provider (we use Azure). OpenAthens directs the user
to UCF’s identity provider, Azure. Azure sees the incoming request for authentication, shows the login screen, which our users are very familiar with. If the user enters a valid username/password pair, then Azure sends the user attributes we decided are OK
to send to OpenAthens. OpenAthens then creates a URL to connect to the service, JSTOR. JSTOR and OpenAthens have worked together to create a connector URL, and have systems in place to do a SAML handshake and pass along the user attributes needed to determine
whether to grant access. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Slides 2 through 7 offer a simplified, personified depiction the authentication and authorization steps. The slides mention Shibboleth, but the same steps apply to OpenAthens (and all other SAML-based
systems). The slides work best in presentation mode so you can see the animation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">At the time Adam and I gave the presentation, UCF was attempting to use Shibboleth for SAML-based access. I was very exited about the prospect, but enabling Shibboleth access was complicated. It
required a dialog between campus IT and <i>each</i> library vendor to work out the connection details. In addition, the URLs we’d need to use for Shibboleth enabled sites were complex (WAYFless URLs are a mess!). AND not all vendors are SAML compliant, meaning
we still would have to run EZproxy, and we’d have to create different starting URL types for Shibboleth v EZproxy sites. The beauty of OpenAthens is that your university need only set up the connection between *<b>they</b>* work out the connection details
between OpenAthens and the hundreds of vendor sites.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">If we did not have OpenAthens, SAML based authentication would not be possible. And, now that we do have it, I would not want to go back to EZproxy. It has been a boon for flexible, easy to manage
access, and gives good stats to boot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I hope all this helps.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">All the best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Atheana</span><o:p></o:p></p>
<p class="MsoNormal"><b><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif;mso-ligatures:none"><o:p> </o:p></span></i></b></p>
<p class="MsoNormal"><b><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif;mso-ligatures:none">Athena Hoeppner
</span></i></b><i><span lang="EN-US" style="font-size:8.0pt;font-family:"Arial",sans-serif;mso-ligatures:none">(she/her/hers)</span></i><b><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif;mso-ligatures:none"><o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="margin-left:.2in"><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;mso-ligatures:none">Discovery Services Librarian | University Librarian<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.2in"><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial",sans-serif;mso-ligatures:none">University of Central Florida |
<a href="mailto:athena@ucf.edu"><span style="color:#0563C1">athena@ucf.edu</span></a>
</span><span lang="FR-CA" style="font-size:9.0pt;font-family:"Arial",sans-serif;mso-ligatures:none"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-ligatures:none">From:</span></b><span lang="EN-US" style="mso-ligatures:none"> Eril-l <eril-l-bounces@lists.eril-l.org>
<b>On Behalf Of </b>Electronic Resources in Libraries discussion list via Eril-l<br>
<b>Sent:</b> Thursday, May 25, 2023 4:04 PM<br>
<b>To:</b> Electronic Resources in Libraries discussion list <eril-l@lists.eril-l.org><br>
<b>Subject:</b> Re: [Eril-l] Microsoft Azure & Open Athens<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">We have opted for Azure with hosted EZproxy as a less expensive option. Azure provides the SSO for those enabled databases and EZproxy for those databases that don’t have direct SSO. There may be other benefits to OpenAthens
I am unaware of though, probably some usage stats or metrics, and I believe it has a managed proxy built-in.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Roen<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-ligatures:none">From:</span></b><span lang="EN-US" style="mso-ligatures:none"> Eril-l <<a href="mailto:eril-l-bounces@lists.eril-l.org">eril-l-bounces@lists.eril-l.org</a>>
<b>On Behalf Of </b>Electronic Resources in Libraries discussion list via Eril-l<br>
<b>Sent:</b> Thursday, May 25, 2023 12:47 PM<br>
<b>To:</b> 'eril-l@lists.eril-l.org' <<a href="mailto:eril-l@lists.eril-l.org">eril-l@lists.eril-l.org</a>><br>
<b>Subject:</b> [Eril-l] Microsoft Azure & Open Athens<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" align="center" style="text-align:center;background:#E8E10E">
<span lang="EN-US" style="font-size:13.5pt;font-family:"Segoe UI Emoji",sans-serif;color:black">⚠</span><span lang="EN-US" style="color:black">
</span><b><span lang="EN-US" style="font-size:13.5pt;color:black">CAUTION:</span></b><span lang="EN-US" style="font-size:13.5pt;color:black"> Sender is not from OC. Avoid clicking links or opening attachments. Never provide personal information, passwords,
or make purchases. </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Hello, <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m a new subscriber and I apologize in advance if this has been answered multiple times through the years, but when I try to search the archives, I keep receiving an error message.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We currently use Open Athens for our database authentication, and our university uses Microsoft Azure for email, intranet, and LMS sign in. When we set up Open Athens, our IT department connected Azure’s Active Directory
with Open Athens, so patrons have an SSO experience. So when patrons try to access a library database, they see Microsoft’s sign-in. Also, if patrons sign into to the LMS, or the university’s portal before accessing the library website, they’re not prompted
to authenticate again for database access. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This may be an obvious question, but we’re trying to determine if we still need Open Athens or if Microsoft Azure provides the only authentication piece we need. From what I’ve read, Azure authenticates the user, but
Open Athens is what gives the authenticated user access to the licensed content, so I think OA is needed. Like a lot of other schools, our budget is getting tighter and Open Athens is not inexpensive. Since administering our databases is only part of my
job (small library, many hats), I don’t know all of the tech aspects in depth, so your input and advice is appreciated.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dana<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Gotham Narrow";color:#767171;mso-ligatures:none">Dana Mastroianni
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Gotham Narrow";color:#767171;mso-ligatures:none">Head of Public Services |
<a href="http://library.chatham.edu/">Jennie King Mellon Library</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Gotham Narrow";color:#767171;mso-ligatures:none">Office: 412-365-1602
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Gotham Narrow";color:#767171;mso-ligatures:none">Chatham University|Woodland Rd. Pittsburgh, 15232<o:p></o:p></span></p>
<p class="MsoNormal"><a href="https://www.instagram.com/jkmlibrary/"><span lang="EN-US" style="font-size:10.0pt;color:windowtext;mso-ligatures:none;text-decoration:none"><img border="0" width="34" height="34" style="width:.3541in;height:.3541in" id="Picture_x0020_1" src="cid:image001.png@01D98F2D.2340CD50" alt="Intsa"></span></a><a href="https://www.facebook.com/JKMLibrary/"><span lang="EN-US" style="font-size:10.0pt;color:windowtext;mso-ligatures:none;text-decoration:none"><img border="0" width="34" height="34" style="width:.3541in;height:.3541in" id="Picture_x0020_2" src="cid:image002.png@01D98F2D.2340CD50" alt="FB"></span></a><a href="https://open.spotify.com/user/fuwu26wdwqq6ums8xs4utraq5"><span lang="EN-US" style="font-size:10.0pt;color:windowtext;mso-ligatures:none;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_3" src="cid:image003.png@01D98F2D.2340CD50" alt="Social, Circles, neon, Spotify, line Icon"></span></a><span lang="EN-US" style="font-size:10.0pt;mso-ligatures:none"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Gotham Narrow";color:#767171;mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</div>
</body>
</html>