Bodleian Libraries Authentication System Overview

The Bodleian Libraries at the University of Oxford utilize a dual sign-on authentication system for access to their extensive collection of resources, including over 11.1 million catalogued book stocks, ebooks, electronic journals, and databases. The system integrates with Primo and Aleph, offering a unified experience for patrons. Challenges include linking Primo login with Aleph ID to enhance patron functionality within Primo.

• Bodleian Libraries
• Authentication System
• University of Oxford
• Primo
• Aleph

aley426 Follow

Uploaded on Sep 29, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Bodleian Digital Library Systems and Services (BDLSS) Bodleian Libraries University of Oxford Bodleian Libraries Authentication System: Dual sign-on from Primo Masud Khokhar Applications Developer Bodleian Libraries University of Oxford masud.khokhar@bodleian.ox.ac.uk @mkhokhar September 29, 2024

2. University of Oxford Libraries University of Oxford More than 100 libraries Hold collectively approx. 11.1 million catalogued book stock 470000+ ebooks 50000+ electronic journals 460+ databases The Bodleian group is the second largest library in the UK after the British Library Ex Libris products in Oxford Primo, Primo Central, Aleph, MetaLib, bX, ARC and SFX. Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 2

3. Oxfords Primo (SOLO) Two environments (Production and Test with plan to have a Dev soon) Primo topology One BE server, two load balanced FE servers, two SE servers, one NFS server, and one DB server. All virtualized except for the DB servers Approx. 8M records. Multiple sources Aleph, MetaLib, Fedora and more in future Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 3

4. Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 4

5. Oxford Memberships Oxford members Officially matriculated members Are provided with Oxford s central Single-Sign-On (WebAuth) ID. Library members For external readers Are not provided with Oxford s SSO ID. Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 5

6. The ILS project Oxford migrated from Geac Advance to Ex Libris Aleph in July 2011. Oxford also migrated from OPAC via Link (OvL) to OPAC via Primo (OvP) at the same time. Aleph OPAC access available only to system librarians. Major issue of authentication with OvP Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 6

7. Authentication Issue We need to link Primo login with Aleph ID in order to show my account or perform patron based functionality Before OvP, a reader had to sign-on to Primo to gain access to e-resources/e-shelf and sign-on to the OPAC with a different username/password to gain access to patron functionality. With Aleph as our LMS, we can provide such functionality within Primo (if we can resolve the linking issue). Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 7

8. What? Sign-on again? Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 8

9. Main requirements Oxford members need to sign-on with their SSO ID Library members should also be able to sign-on but with their barcode number Library members should not have access to e-resources by just signing-on (they need to be in Oxford libraries IP range) Both type of members should enjoy the features that OvP provides There should be only one click involved from the sign-on link to actually signing-on (No intermediate WAYF kind of page) Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 9

10. Solution design Limitation: No access to OUCS IdP (used for Oxford SSO auth) Run our own IdP for Library members Library Card Database contains Library and University members data Push membership data in Aleph using p_file_20 (PLIF) Run an export from Aleph to LDAP (which includes Aleph ID) Run an IdP on top of this LDAP Configure Primo SP to use this IdP for authentication Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 10

11. Use Case 1 Oxford members Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 11

12. Use case 2 Non-Oxford Members Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 12

13. Shibboleth SP configuration Shibboleth RequestMapper element maps incoming requests to the set of configuration options that should be applied. /etc/shibboleth/shibboleth2.xml <RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="solo.ouls.ox.ac.uk"> <Path name="shib" authType="shibboleth" requireSession="true"> <Path name="NONOX" authType="shibboleth" requireSessionWith="nonox"/> </Path> </Host> </RequestMap> </RequestMapper> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 13

14. Shibboleth SP configuration We use the protocol handler type of Session Initiator and make the OX session as the default one. <SessionInitiator type="Chaining" Location="/Login" isDefault="false" id="nonox" relayState="cookie" entityID="https://idp.sers.ox.ac.uk/idp/shibboleth"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> </SessionInitiator> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="ox" relayState="cookie" entityID="https://registry.shibboleth.ox.ac.uk/idp/"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> </SessionInitiator> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 14

15. IdP redirections https://solo.ouls.ox.ac.uk/shib https://solo.ouls.ox.ac.uk/shib/nonox Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 15

16. Simple Aggregation Attribute Resolver <AttributeResolver type="Chaining"> <AttributeResolver type="Query" /> <AttributeResolver type="SimpleAggregation" attributeId="barcode" format="urn:oasis:names:tc:SAML:2.0:barcode-format:direct"> <Entity>https://idp.sers.ox.ac.uk/idp/shibboleth</Entity> </AttributeResolver> </AttributeResolver> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 16

17. On IdP Side Write a new Principal Connector resolver of type Direct . The Direct Principal Connector treats the value of the name identifier as the principal name. <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc" id="barcodeDirect" nameIDFormat="urn:oasis:names:tc:SAML:2.0:barcode-format:direct /> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 17

18. On IdP Side Write an LDAP connector which uses the principal name as the uid. In our case, this is the barcode sent by the SP to the IdP, which is then mapped as principal name because of the direct principal connector. <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL= YOUR_LDAP_SERVER" baseDN= YOUR_BASE_DN" principal= YOUR_MANAGER" principalCredential= YOUR_MANAGER_PASSWORD"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate> </resolver:DataConnector> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 18

19. On IdP Side Define and release the extra attribute to the SP. <resolver:AttributeDefinition id="bodlAlephID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="bodlAlephID"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:bodlAlephID" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.11023" friendlyName="bodlAlephID" /> </resolver:AttributeDefinition> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 19

20. Aggregation in Logs 2012-09-06 14:07:33 DEBUG Shibboleth.AttributeFilter [341]: filtering 4 attribute(s) from (https://registry.shibboleth.ox.ac.uk/idp) 2012-09-06 14:07:33 DEBUG Shibboleth.AttributeFilter [341]: applying filtering rule(s) for attribute (barcode) from (https://registry.shibboleth.ox.ac.uk/idp) 2012-09-06 14:07:33 DEBUG Shibboleth.AttributeFilter [341]: applying filtering rule(s) for attribute (person-name-oucs) from (https://registry.shibboleth.ox.ac.uk/idp) 2012-09-06 14:07:33 DEBUG Shibboleth.AttributeResolver.SimpleAggregation [341]: using input attribute (barcode) as identifier for queries 2012-09-06 14:07:33 DEBUG Shibboleth.AttributeResolver.SimpleAggregation [341]: issuing SAML query to (https://idp.sers.ox.ac.uk/idp/shibboleth) 2012-09-06 14:07:33 DEBUG XMLTooling.SOAPTransport.CURL [341]: getting connection handle to https://idp.sers.ox.ac.uk:8443/idp/profile/SAML2/SOAP/AttributeQuery 2012-09-06 14:07:33 DEBUG XMLTooling.SOAPTransport.CURL [341]: returning existing connection handle from pool Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 20

21. SAML query 2012-09-06 14:07:33 DEBUG Shibboleth.SOAPClient [341]: prepping SOAP transport for use by application (default) 2012-09-06 14:07:33 DEBUG XMLTooling.SOAPClient [341]: marshalled envelope: <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><samlp:AttributeQuery xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_77103a22b38d94e50d931d2dc016fa05" IssueInstant="2012-09-06T13:07:33Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://solo.ouls.ox.ac.uk/shib</saml:Issuer ><saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:barcode- format:direct">2737690</saml:NameID></saml:Subject></samlp:AttributeQuery></S:Body></S:En velope> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 21

22. PDS Mapping Our tab_service.ox file looks like this: [AUTHENTICATE] [INSTITUTE_DISPLAY] [END] code = OX [LOAD_LOGIN] desc = University of Oxford Members program = shib.pl lang = ENG params = shib.conf sort_key = 1 [END] primo = OX [BOR_INFO] metalib = OXFORD program = shib_bor_info.pl [END] [END] Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 22

23. PDS Mapping And the shib.conf file looks like: [SHIB_ATTRIBUTES] aleph_id = z312_source_id person_name_oucs = z312_name [END] [DEFAULTS] institute,OX group,ADMIN expiry_date,today +1y [END] Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 23

24. PDS Mapping Our tab_service.nonox file looks like this: [AUTHENTICATE] [INSTITUTE_DISPLAY] [END] code = NONOX [LOAD_LOGIN] desc = Non-University of Oxford Members program = shib.pl lang = ENG params = shib_nonox.conf sort_key = 2 [END] primo = NONOX [BOR_INFO] [END] program = shib_bor_info.pl [END] Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 24

25. PDS Mapping And the shib_nonox.conf file looks like: [SHIB_ATTRIBUTES] aleph_id = z312_source_id person_name_sers = name [END] [DEFAULTS] group,ADMIN institute,NONOX expiry_date,today +1y [END] Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 25

26. Sign-on options Changed in userAreaTile.jsp file in fe_web/tiles directory. <li id="exlidSignOut" class="EXLSignOut EXLLastItem"> <span style="float:left;"><fmt:message key="default.eshelf.additional.before.text"/>&nbsp;</span> <a href="${fn:escapeXml(loginUrl)}"><fmt:message key="eshelf.signin.title"/></a> <fmt:message key="eshelf.additional.text"/> </li> <li id="exlidSignOut" class="EXLSignOut"> <a href="https://solo.ouls.ox.ac.uk/pds?func=load- login&institute=NONOX&calling_system=primo&url=http://solo.bodleian.ox.ac.uk:80/primo_library/libw eb/action/login.do?targetURL=${fn:escapeXml(form.reqEncUrl)}"><fmt:message key="default.eshelf.signin.nonox.title"/></a>&nbsp;<fmt:message key="default.eshelf.additional.after.text"/> </li> Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 26

27. Sign-on options Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 27

28. Different attribute mapping Oxford SSO sign-on Non-Oxford members sign-on Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 28

29. Thank you Questions? Bodleian Libraries Authentication System: Dual sign-on from Primo September 29, 2024 Page 29