Do you support Shibboleth/SAML-only authentication?
LibKey & BrowZine operates as a technology overlay which facilitates connections to a library’s existing subscribed sources and does not hold any of this content itself. One of our goals in building these services is to make the user experience as seamless as possible to connect authenticated users with content and authentication plays a big part in doing this.
With a proxy system, the user can login once, initiate a proxy session and then get full access to all entitlements with no other intervention with the proxy. This allows us to easily build URL's on the fly which we can be assured will connect with the publishers who, by identifying the IP, provide appropriate entitlements.
Shibboleth on its own, for all its benefits, does not excel at the above use case. Unfortunately, every publisher has a different way to start the Shibboleth/SAML session which usually involves clicking through a few screens to identify a library’s federation and then there are still publisher/sources that do not support Shibboleth at all.
As a result, many institutions who primarily use Shibboleth or another federated technology wind up running a proxy server for at least some sources to provide full coverage for off-campus users while then choosing to use Shibboleth/SAML style authentication for major providers & platforms.
Fortunately, Third Iron services can support this type of authentication! Libraries need only alert Third Iron Support to which sources they would like to authenticate directly via Shibboleth/SAML and their IdP and LibKey/BrowZine services can be routed over WAYF-less URL's automatically, creating a seamless authentication experience for these resources while the other resources not in this list are routed via proxy/VPN or simply IP range.
I heard we use Shibboleth in our authentication. Is this the same as the situation described above where we are authenticating via SAML?
Many institutions around the world embrace Shibboleth as a Single-Sign On (SSO) Identity Provider (IdP) to enable access to resources used all over campus including email, courseware, scientific web resources, library resources and more. However, because of the limitations described above for the user experience (and the added complexity this usually causes in configuring library systems) when accessing library resources, as well as the lack of full support from all publishers, many libraries choose to make the Service Provider (SP) not the Publisher, but instead the Proxy Server. Thus, the IdP is enabling access to the proxy (SP) so that the proxy may be used to complete the “transaction” that the user is requesting such as access to a subscribed journal.
This leads to much confusion in the library world about what “using Shibboleth” really means when discussed in terms of authentication technology. Whether you are using the publishers as the SP’s or the proxy, you are still “using Shibboleth” but BrowZine only supports situations where Shibboleth is authenticating the proxy.
How can I tell if my library is using a proxy authenticated by Shibboleth or using Shibboleth to authenticate directly to a publisher via SAML?
The easiest way to tell is if the domain has a proxy inserted in it after authentication from off-campus. From your library’s home page, find a database for content behind a paywall and click the link. If you are presented with a login screen, login. Now take a look at the resulting URL. If it has been “transformed” in some way to insert some additional subdomains, you are running a proxy.
WAM Proxy style:
If instead, the link looks like:
Then you are instead connecting directly via Shibboleth and this platform should be included (i.e. SpringerLink, Science Direct, EBSCO, etc.) in the list of platforms for which you will want SAML WAYF-less linking setup by the Third Iron Support team.
If you have any questions, please contact us for additional access options.