Access Management for Libraries by John Paschoud & Masha Garibyan
Upcoming SlideShare
Loading in...5

Access Management for Libraries by John Paschoud & Masha Garibyan



This presentation explores the impact of the move towards federated access management on libraries, including a discussion of the Athens administrator role, changes to library processes and the impact ...

This presentation explores the impact of the move towards federated access management on libraries, including a discussion of the Athens administrator role, changes to library processes and the impact on the end-user.



Total Views
Views on SlideShare
Embed Views



1 Embed 3 3



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Session B: Change Management for Libraries (11.00 – 12.00) Speakers: John Paschoud and Peter Spring, London School of Economics This session is aimed at institutional library staff and Athens administrators. Adopting federated access management will require a change to the way in which students are trained in using access management. This will have an impact on institutional libraries in a variety of ways: updating user guides, training staff to answer queries, updating electronic catalogue links etc. This presentation will be run by institutions that have already started that process, and give guidance on how to manage the necessary change.

Access Management for Libraries by John Paschoud & Masha Garibyan Access Management for Libraries by John Paschoud & Masha Garibyan Presentation Transcript

  • [AMP meeting title slide] Access Management for Libraries  John Paschoud and Masha Garibyan London School of Economics Joint Information Systems Committee Supporting education and research Access Management Programme meeting, May 2007
  • Why fix what ain’t broke?
    • Our Athens authentication system seems to work quite well, and has done so for several years. Why has JISC decided to change to something different?
  • Why “Federated Access Management”?
    • Moves closer to the single sign-on ideal - users need not remember so many passwords
    • Aligns with international convergence on Shibboleth/SAML compliant technology - wider market for suppliers
    • Avoids the need to maintain a central Athens-type database - by JISC/Eduserv and by participating libraries
    • Open Source and Open Standards –based - so tools can be developed by participants and shared
    • Supports internal applications, collaborative inter-institutional sharing of resources, and virtual organisations
  • Is that all?
    • Is that all?
  • Is that all!?!?
    • Improved security for resources, so publishers happy - they also don’t have to pay a licence fee (as they do for Athens), nor maintain campus IP address ranges
    • Because the access is role-based rather than identity-based there is improved privacy for users
    • Supports the trend towards a devolved / distributed model for access management
      • Authentication by the end-users’ institution
      • Authorisation by the resource owner
    • Suited to the demands for more mobile access – from home, travelling, or working at other institutions or libraries
  • So what is Shibboleth?
    • OK, sounds convincing, but what is Shibboleth?
  • What is Shibboleth?
    • Actually, “Shibboleth” is just an enabling technology that lets us do Federated Access Management
      • but just to satisfy your curiosity…
    • An initiative (of Internet2) to develop an architecture and policy framework supporting the sharing – between domains – of secured web resources and services
    • A project delivering an open source implementation of the architecture and framework
    • Deliverables:
      • Software for Identity Providers (universities, libraries)
      • Software for Service Providers (publishers …and universities, libraries)
      • Policy models for Federations (scalable trust)
    • … and they have a nice logo!
  • What are the costs and benefits?
    • What are the costs and benefits for our library of migrating to Federated Access Management?
  • Costs/Benefits of FAM?
    • Costs:
    • Institution’s directory must be in good shape and set up to support an Identity Provider (IdP)
    • Shibboleth (or compatible) middleware needs installing and maintaining
    • Benefits:
    • Reduced overheads in password support
    • No difference in on-campus and off-campus access
    • More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource
  • Any other capabilities?
    • Are there things Shibboleth can do that Athens cannot?
    • … sorry! I meant “Federated Access Management”! What extra things can we do with it?
  • The Other Capabilities of FAM?
    • As well as acting as an Identity Provider , your institution would be able to set up its repository, e-learning or any other service as a Service Provider
      • as LSE has done for Exam Papers and other ‘members only’ collections
    • This will facilitate sharing of resources within the academic community
      • you can provide controlled access to users from other institutions, without needing to administer usernames/passwords for them
      • as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)
    • The fine-tuning of access control possible (using directory attributes) can be used to restrict confidential or sensitive data to those whose roles allow this
  • (the LSE Exam Papers collection – secured with Shibboleth)
  • So how do we get Shibbolised?
    • What will our library need to have in place and do in order to migrate to Shibboleth? What ‘infrastructure’ is required?
  • What infrastructure is required?
    • Within your Library / Institution:
    • IdentityProvider (IdP) site – Required Enterprise Infrastructure
      • Authentication service (e.g. Yale-CAS, Pubcookie, or just webserver authentication)
      • Attribute repository (directory)
      • Shibboleth-compliant IdP service (e.g. Shibboleth, Guanxi or AthensIM software)
    • At your Publishers / Aggregators / e-Resource Providers:
    • ServiceProvider (SP) site - Required Enterprise Infrastructure
      • Webserver (Apache or IIS)
      • Shibboleth-compliant SP service (e.g. Shibboleth, Guanxi or AthensIM software)
      • Logic to make Authorisation decisions based on user attributes collected by SP service (as simple or complex as the service / resources being provided)
  • Shibboleth IdP architecture GET YOUR LOCAL TECHIE TO DEAL WITH THIS BIT IdP server 8443 Shibboleth SP Web browser (various communications) 443 LDAP server MOD_ SSL Certificate check MOD_LDAP_ AUTHZ MOD_ JK Apache Tomcat Shibboleth IdP AA (Attribute Authority) HS (Handle Server) idp.xml resolver.xml arp.xml
  • Is there help out there?
    • What help and support will be available to our library as we set about installing and migrating to Federated Access Management?
  • What support is there?
    • JISC information resources at: http:// /federation
      • Including material produced by the extensive programme of Core Middleware and Early Adopters projects
    • The UK Federation has guidance for institutions and publishers wanting to join at:
    • JISC Regional Support Centres, CILIP, CPD25, UCISA, SCONUL and other organisations are running information events
    • Netskills is producing practical training courses for technical staff
    • Use JISC-ACCESS- [email_address] to contact the JISC Support Team
  • What resources are Shibbolised?
    • I understand that quite a lot of publishers have already joined the UK Federation…
    • But not all e-resources are going to be accessible via Shibboleth overnight. Will that be a problem for us?
    • … shouldn’t we wait for another year or so, until they’ve all converted from Athens?
  • Ah! There’s a Cunning Plan! The Athens-Federation Gateways Federation -enabled resources Athens authenticated resources Athens national authentication service Athens enabledusers College IdP FAM enabledusers University IdP FAM enabledusers University IdP FAM enabledusers Athens  Fed Fed  Athens
  • And the Athens Administrator?
    • We have an Athens Administrator. What happens to that role after migrating to Shibboleth?
  • Athens Administrator role?
    • Initially to manage the changeover from ‘classic Athens’ to either ‘Shibbolised’ resources, or via the Gateways, and continue to maintain other ad hoc access methods where neither of these options is available
    • As things settle down, there will be the need to maintain the links in your library’s list of e-resources
    • Closer liaison with your own IT people (who manage your institutional directories) may be needed
  • What’s a Federation?
    • … and what exactly does one of these ‘Federations’ do?
  • What is a Federation?
    • A group of organisations with a common purpose (e.g. education and research) who trust each other
    • Not a subscription-purchasing consortium!
      • but could be related to one or more of those
    • Federation members…
      • sign up to a set of rules, including minimum standards for Identity Management practices
    • May have legal status
    • Needs the trust of suppliers
    • Runs the ‘Where Are You From’ (WAYF) service
  • What does Shibboleth access look like?
    • So what does access to an e-resource using Shibboleth look like to the end user?
  • Demonstration: What does FAM look like to an end-user?
    • Elsevier Science Direct – an ‘early-adopting’ publisher
      • … dealing with a global customer base
      • … needs-to-know only whether user is from a licensed institution
      • (and use ‘Athens/Other Institution Login’)
    • LSE Projects wiki – a highly-restricted institutional resource
      • … with users spread across 10+ HE institutions (current project partners)
      • … needs to know personal identity and other user attributes
      • (and then ‘Edit’ this page)
    • Shibboleth Wiki – a global discussion space
      • (and use ‘Log In’)
  • Well Shibboleth can look like this: And where they are from User knows URL of resource and that Shibboleth is used
  • Or, Shibboleth works invisibly behind the library portal
    • Alternatively, on or off campus, you could just go to the list of e-resources in the library’s portal.
    • In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:
    • … but it could just be a list on a ‘hand-crafted’ web page
  • Shibboleth behind the library portal The expanded list shows a link direct to the Service Provider, in this case Elsevier
  • Shibboleth behind the library portal If users prefer the route through the library portal, e-resource usage statistics should become more representative After clicking link in library portal:
  • What do we tell our users?
    • What should we tell our staff and student library users about the change to Shibboleth?
  • What to tell your users?
    • As little as possible!
    • There is no Athens-type username and password to distribute (and remind of when forgotten or lost)
    • One strand of the change management will be to remove references to Athens passwords from user guides etc
      • there should be no need to substitute Shibboleth in Athens’ place
    • During changeover, decreasing reliance will be made on Athens passwords
      • some users may need reassuring the library has not lost access to a super-database called Athens!
    • LSE now tells users that “ your LSE Login ” is the default access for everything
      • … and provides help with the diminishing number of exceptions
  • From LSE’s Electronic Library FAQs: Many LSE electronic resources can also be accessed off-campus via your LSE login (network username and password). The FAQ shows how access to e-resources is getting easier, both on and off-campus.
  • ‘ LSE for You’ provides diminishing passwords: The ‘LSE for You’ page, protected by the LSE login, provides the remaining passwords still required for some e-resources.
  • How did the LSE do it?
    • You were the first installation of Shibboleth in the UK. How did the LSE Library manage the change to Shibboleth?
  • How did the LSE do it?
    • Installing the infrastructure was surprisingly easy
      • (once we had the first working version of the software!)
    • We chose a ‘cautious’ changeover from Athens access, with careful quality assurance testing of each resource link
    • We were at the ‘bleeding edge’, with over 150 resource collections being accessed by ‘classic Athens’, Shibboleth, the Athens Gateway and EZproxy, and about 20% by all sorts of ad hoc methods
    • The methods used for these tests, a progress bar and a table of the Shibbolised status of those resources can be found on the [email_address] website
  • Shibboleth@LSE Home
  • Shibboleth@LSE Shibbolisation Progress
  • Shibboleth@LSE Table of e-Resources
  • [JISC Conf title slide] The End Joint Information Systems Committee Supporting education and research Access Management for Libraries
  • Links, Questions and Conclusions
    • JISC FAM Transition:
    • UK Federation:
    • Shibboleth:
    • Shibboleth@LSE: /
    • Other questions?
    • Other issues for libraries?
    • … you’ll think of them later? [email_address] or JISC-ACCESS- [email_address]