[OPEN-ILS-DEV] Feature Proposal - OpenAthens integration

Julian Clementson Julian.Clementson at openathens.net
Thu Sep 5 04:29:54 EDT 2019


Hi Jeff,

You're right to point out that this feature has a limited scope. I've only been looking at the public library case, where Evergreen is the identity provider. That's the current feature that we at OpenAthens have been asked to contribute to Evergreen for the benefit of Georgia Public Libraries and any other public library consortia that are also OpenAthens customers.

For the type of post-secondary case you describe, OpenAthens can already be configured to authenticate against other identify providers, such as Active Directory. What's missing is being able to configure Evergreen to authenticate against either Active Directory locally, or against OpenAthens, which in turn authenticates against whichever identity provider is configured for a particular library. I think adding new ways of authenticating into Evergreen should be treated as separate features. They are quite different from this feature, which is about using Evergreen to authenticate into another system. That's not to say the OpenAthens team would never contribute a separate feature for authenticating into Evergreen using OpenAthens, or provide help to someone else who wants to take it on - just to make clear that it's not in scope for the current round of work that's been triggered by the GALILEO single sign-on project.

Going back to the feature for using Evergreen to authenticate into OpenAthens, and to answer your second question, a single OpenAthens domain per Evergreen instance is certainly simpler to implement, and is the solution preferred by OpenAthens. If the consortium needs partitioning between libraries within OpenAthens, we propose that the top-level administrator for the consortium would create sub-organisations within the OpenAthens domain, one for each library, and set up mapping rules to map users into different sub-organisations depending on their home library setting. Each sub-organisation would have an associated administrator account that the branch librarian could use to view their local users and resource usage stats. The ability to set up these sub-organisations and mapping rules already exists in OpenAthens. Whereas if we were to implement multiple OpenAthens domains per Evergreen instance, we would have to develop a similar mapping feature within the Evergreen code. It's not impossible but is duplicating a feature we already have in OpenAthens. But if anyone thinks that the proposed way of doing things would be a show-stopper for the PINES consortium implementation, then we'll have to re-think!

Regards,
Julian

─────
Julian Clementson
Full stack software engineer
 

On 03/09/2019, 18:48, "Open-ils-dev on behalf of Jeff Davis" <open-ils-dev-bounces at list.georgialibraries.org on behalf of jeff.davis at bc.libraries.coop> wrote:

    Hi there,
    
    It's exciting to hear that OpenAthens integration is in the works!  We 
    have several libraries that will be very interested.  Thanks also for 
    the detailed proposal and documentation.
    
    I have a couple of questions.  The proposal seems to assume that 
    Evergreen will be the authoritative identity provider, but I think that 
    often won't be the case for OpenAthens customers.  Suppose I'm at a 
    post-secondary institution that uses a centralized Active Directory 
    service for single sign-on.  I want students to use their SSO 
    credentials to be able to login to library resources including online 
    databases and the Evergreen OPAC, so ideally OpenAthens would 
    authenticate against my institution's Active Directory, not against 
    Evergreen.  The development proposal says that resource-initiated login 
    must be delegated to Evergreen, which sounds like users would be 
    authenticated against EG instead of Active Directory.  Am I 
    understanding correctly?
    
    The proposal also says that only a single OpenAthens domain is allowed 
    for an entire Evergreen consortium.  Are there technical limitations 
    that make this necessary?  There will be cases where multiple libraries 
    sharing the same Evergreen instance will want to have their own 
    independent OpenAthens setup, but it sounds like the proposal precludes 
    that.
    
    Thanks again!  I'm looking forward to seeing where this goes.
    
    Jeff Davis
    BC Libraries Cooperative
    
    
    On 2019-09-02 3:06 a.m., Julian Clementson wrote:
    > Hello everyone,
    > 
    > I'd like to introduce a new feature proposal and ask for your feedback.
    > 
    > Launchpad link - https://bugs.launchpad.net/evergreen/+bug/1842297
    > 
    > The feature will provide integration between Evergreen and OpenAthens, a 
    > global cloud-based single sign-on service.
    > 
    > The background is that the GALILEO Consortium of libraries in Georgia 
    > has selected OpenAthens to deliver a state-wide solution for single 
    > sign-on, and this contract includes integrating Evergreen into 
    > OpenAthens, so that PINES patrons can seamlessly access 
    > OpenAthens-authenticated resources.
    > 
    > The OpenAthens development team has been contracted to implement the 
    > integration on behalf of GPLS, and I've been assigned as the lead 
    > developer for the project. I demonstrated a proof of concept to selected 
    > representatives of the Evergreen community and the PINES consortium back 
    > in July. The aim is to get this feature accepted into an upcoming 
    > release so that it is ready for PINES to start using towards the end of 
    > the year.
    > 
    > I have now documented the feature in detail on DocuWiki - see 
    > https://wiki.evergreen-ils.org/doku.php?id=dev%3Aproposal%3Aopenathens_integration
    > 
    > I have also published the proposed code changes and documentation, 
    > subject to community review of course - see 
    > https://github.com/openathens/Evergreen/commit/ed85f8f82795e4439315e897438d75e99e0e7cde
    > 
    > I welcome feedback and discussion, so as to improve the feature 
    > description and get the code into a state where the community is happy 
    > to accept it.
    > 
    > Thank you and kind regards,
    > 
    > Julian
    > 
    > ─────
    > 
    > *Julian Clementson*
    > 
    > Full stack software engineer
    > 
    > *T*
    > 
    > 	
    > 
    > +44 (0)20 3998 9178
    > 
    > *W*
    > 
    > 	
    > 
    > openathens.org <https://openathens.org/>
    > 
    > Open Athens
    > 
    > ────────────
    > 
    > OpenAthens is a Jisc enterprise. Jisc is a registered charity (number 
    > 1149740) and a company limited by guarantee which is registered in 
    > England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc's 
    > registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 
    > 0203 697 5800.
    > 
    
    



More information about the Open-ils-dev mailing list