Library Collaboration Develops Shibboleth/EZproxy Hybrid
Combination means a move away from IP authentication; provides greater control
October 1, 2010
College and university IT professionals used Shibboleth and EZproxy to develop a library access solution that avoids using static IP address authentication. This hybrid solution is not only more flexible and secure, but also provides a better integrated experience for users, administrators, and outside content vendors.
- University of California San Diego
- University of Chicago
- University of North Carolina
- University of Maryland
Products & Services
Libraries face one of the most complex situations on campus, when it comes to providing access to protected resources. They typically work with a large number of vendors and have a variety of user situations to accommodate.
That’s why several college and university IT professionals came together in the InCommon Library Collaboration. The goals included:
- Moving away from IP-based authentication.
- Leveraging the main campus identity infrastructure.
- Gaining fine-grain control over access to accommodate users with different levels of access or access to different materials.
- Encouraging as many vendors as possible to participate in single sign-on, providing increased security and an improved user experience.
Libraries subscribe to dozens of online journals and databases and work with many different resource providers. Many vendors have preferred making authorization decisions based on the IP addresses from which the request originates. This makes remote access difficult, given that a user at home or at a coffee shop will not be connecting from an IP addresses controlled by the institution.
The situation is made more complex because many libraries provide services to patrons that are not part of the campus community (and, thus, not part of the identity management infrastructure). For instance:
- The catalog may be open to all who enter the building.
- Specialized databases may be open to anyone physically in the library.
- Databases may be open to those with university credentials regardless of their physical location.
- Some resources may be open only to students and faculty in a certain field (such as the law school or medical school).
The collaboration group developed a hybrid of two popular software packages: Shibboleth and EZproxy.
Shibboleth (developed by the Internet2 Middleware Initiative) is the SAML-based, open-source federating and single sign-on software. Shibboleth is adept at managing the interaction between the library, the campus identity system and the resource provider (or vendor).
EZproxy (a product of OCLC) is middleware that authenticates library users and provides remote access to licensed content. EZproxy is widely deployed among libraries, but does not offer the fine- grain access control that can be achieved using Shibboleth to leverage the campus identity system.
This hybrid solution offers benefits to:
Users – providing single sign-on convenience.
Librarians – reducing expenses and support needs, with far less IP and proxy maintenance. It also permits the use of additional federated resources while keeping the user experience consistent.
Library administration – making central usage statistics available.
Vendors – eliminating the need to maintain IDs and passwords, since Shibboleth leverages the university's identity management system, provides the necessary authentication, and allows for quick breach investigation.
The collaboration group also developed a number of helpful documents, including use cases, best practices for service providers and libraries, and short case studies from campuses outlining their experiences with the hybrid. Members have also made numerous presentations and conducted an informative webinar on their work (see www.incommon.org).
The group also approached a number of library resource providers, focusing on those with membership in the federation in the United Kingdom, but not InCommon. Several have joined InCommon as a result of these efforts. As a side benefit, other collaboration groups could mirror this approach to encouraging service providers to join the federation.