Federated Access: The Library Experience

· ostephens

A three part presentation – first up Sarah Pearson from the University of Birmingham on their experience:

Authentication overview:

  • Mixture of Shibboleth, IP and username/password authentication
  • EZProxy used for off-campus (recently implemented)
  • SSO to Metalib (federated search), Shibboleth and EZProxy
  • Extra sign-on needed between Portal, WebCT and Metalib

Authentication – setup, maintenance and troubleshooting – needs involvement from:

  • Serials Team (Library services)
  • Digital Library team (IT Services)
  • Networks team (IT Services)

Shibboleth implementation relatively straightforward as already had good quality data in directory

Implementation timescale at B’ham

  • Jan 08 – decided to implement Shibboleth for July 2008
  • Jan-Mar 08 – tested current authentication, set up IdP and shibbolized Metalib
  • Mar-Apr 08 – Prioritised ‘Athens only’ resources with Shibboleth
  • July 08 – changed all links in Metalib to Shibboleth
    • decided to retain Athens for 1 year as some resources not supporting Shib
    • Migration of remaining Athens resources to other methods
  • July 09 – ended Athens subscription but implemented EZProxy

Decisions made

  • Athens only and IP/Athens authenticated resources to be moved to Shibboleth
  • WAYFless URLs where possible
  • Shibboleth preferred over IP
  • Shibbolized metalib
  • Extended Athens subscription for 1 yr

Implementation process

  • Contacting service providers
  • Knowing which information to provide
  • Obtaining and testing WAYFless URLs was time consuming
  • Adding new URLs to Metalib (library portal/federated search)
  • Adding notes for specific resources

Issues and Challenges

  • SP discoverability / navigation issues – not everyone comes to the resource from the library website/portal
  • Dual authentication and personalisation
    • Although University of B’ham prefer Shibboleth to IP authentication – some resources us IP as a preference
  • WAYFless URLs
    • different suppliers use different constructions
    • Some support
  • SFX (OpenURL resolver) integration – providers don’t necessarily support deep linking in a consistent or good way
  • IdP downtime – have introduced a single point of failure

Secondly Francis Lowry from Nottingham Trent University

NTU approx 25,000 FTEs across 3 campuses

  • NTU was a early adopter of Shibboleth – in 2005
  • Shibboleth ‘just worked’ – it has been very stable
  • Currently on Shib 1.3, going to upgrade to 2.0 in Summer 2010
  • Shibboleth not a panacea – managing expectations was a big issue – e.g. Shib is not a SSO solution

Now Richard Cross takes up the story from the library side:

  • NTU Library do not talk about ‘Shibboleth’ – may describe the benefits of FAM, but talk about ‘NTU username and password’
  • Personalisation features – issue of migrating from personal settings on remote resources being linked to Athens PUIDs – and needed to migrate to linking to Shibboleth IDs
  • Some resources ended up losing personalisation features
  • Communication with colleagues etc. key
  • Switchover remarkably smooth
  • Customers appeared to find the process quite intuitive
  • No permanent loss of off-campus access to any significant resources

Richard mentions the JISC Publisher Interface Study – incredible inconsistency in how service providers implement and talk about authentication – this needs to change. WAYFLess URLs over engineered, inconsistent syntax – real problem. Particularly OpenURL resolvers need to work with WAYFless URLs

  • Lack of utilities toolkit – reduced usage data
  • No ‘admin interface’, no reporting functionality, no troubleshooting tools
  • Reduced statistics (even at basic level) to previously (when using traditional Athens authentication)

Customer experience?

  • May well remain unimpressed by the delivery of ‘mostly single’ sign-on (but terms and conditions apply)
  • Potential remains for customer confusion about how libraries manage the authentication exceptions
  • WAYFless URLs only work when the user accesses resources via the library – which is not how many people approach resources – coming in from Google and other resources

Don’t expect to be thanked for successful Shibboleth implementation – it is just seen as ‘business as usual’

Closing thoughts (from Francis):

  • Shibboleth is not just as a replacement for Athens Authentication – opportunity for closer more collaborative working across institutions
  • Vision for Shibboleth is more shared resources and services
    • Shared learning environments and resources
    • NTU CV Builder
    • Single framework for access to all university and externally provided services

NTU essentially embraced Shibboleth as a framework for authentication and authorisation across the board – all products they now tender for need to support SAML or similar…

IceRocket Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.