Technically the implementation of OpenAthens LA is the easy part as long as your student/staff directory is organised, meeting the rules of the federation.

However the hardest part is purely cultural; helping students to understand why you are moving to single sign-on, what it means for them, as well as confusion over what Athens is/was!

Below is a list of questions sent by Chris Spencer, Library Procurement & Systems Development Manager at Bournemouth University. I thought of blogging my replies in order to share our experiences at Bath Spa with other Librarians.

1)      I presume you needed to register an additional entity id with the Federation to allow testing of LA without compromising existing user experience with Athens MD? How is this done?

Whilst we were testing we registered our IDP as ‘Bath Spa University TEST’ with the UK Federation. We thought that by adding ‘TEST’ in capitals students would realise they were taking risks by attempting to authenticate with this through the WAYF.

You can opt to be invisible in the Federation WAYF in order to avoid confusion, but this would involve a lot of hard work during testing as URL’s would have to bypass the WAYF but still prompt authentication to your services.

Now that we are live we have two entries with the Federation: ‘Bath Spa University’ and ‘Bath Spa University ATHENS’.

2)      Has parallel running caused any confusion for the users who have stumbled across the LA authentication route.

Yes. Students still try to log into LA authenticated resources using their Athens credentials.

However the LA log-in page was customised from the outset so that project information and contact details were available in case users failed to log-in. Since September I have probably answered around two to three email enquries a day from students/staff who are confused.

3)      Has the move to LA necessitated much editing to your web pages and documentation?

Our users were regularly updated on the project via our webpages and blog.

Whilst we were testing I set-up a brand new section within the electronic services side of our website, constantly adding services to the list whilst we were testing. Wherever we could we would invite users to test our new method through these pages, inviting comments to me via email.

However Athens and IP authentication was still our default and supported method of authentication during testing, and was therefore still very much at the forefront of our website. We only wanted users to test LA access whilst browsing the site or by clicking a link in an email.

4)      Have you opted to use a single authentication protocol (ie shibboleth module) or are you going mixed economy (ip, athens,shibb)? Have you gone for WAYF or WAYFless links?

Our supported method is now LA and IP authentication. As a result we tend to provide two links seperately from our website, for on and off campus users.

Where I can I have generated WAYFLESS url’s. I have done this using the following methods:

• Asking the service providers for WAYFLESS url’s
• Visiting the Federation site to see if they have instructions for particular service providers
• Visiting the websites of Shibboleth run institutions, before copying and altering their links to fit
• Using a Firefox add-on called ‘HTTP Headers’, allowing me to trace WAYFLESS URL’s during the authentication process.  URL’s generated using this method however have to be constantly monitored as they are not stable or supported by the service providers.

5)      How much promotion have you done? Any communication channels particularly effective?

We communicated the project to our users wherever we could:

• Four testing requests were sent out to all staff/students during our BETA testing phase
• Two all staff/student emails sent to warn users of our MD/LA transition
• Two further emails once the transition happened
• One message sent out to all Athens users, via the admin console
• A large poster, with fire and explosions to advertise the removal of Athens MD use from April 5th 2010
• The same poster, published on our foyer ppt display
• All Refworks users were contacted, video tutorials produced for instruction
• A ‘MyAthens’ panel was set-up to communicate the same general information with those who don’t check their email!
• Our Library blog

As a result it is hard to work out which methods were most effective, there were so many!

However I did recieve a large volume of response once the all staff/student emails were sent out, and the Google analytics stats that I installed in the log-in page reflected busy periods of activity once the emails were sent.

6)      Any strategies for ensuring that those off-campus users who by-pass library pages and go direct to resources make the right authentication choice for logging in?

The discovery issue was the most difficult part of the project.

The all staff/student emails were important to attract these users to our site. By setting up a panel in MyAthens I also hope to capture some of these users also.

Now that we have made our transition, I found it also important to notify members of academic staff that their VLE links may need updating. Links from the VLE to EbscoHOST or DawsonERA for example contained specific codes, prompting Athens access.

7)      Any lessons learnt so far?

When contacting service providers from the beginning be careful when mentioning OpenAthens LA 2.0! I found this caused confusion, particularly as many only recognise Athens or Shibboleth authentication.

Therefore I found it more useful to say the following:

We wish to test our Shibboleth installation with you. Our details are: {insert here}

We are in the UK Federation metadata as {your chosen WAYF name}

Some providers may want to know what affiliated values you are passing, but otherwise setting up testing is that simple.

8)      How easy is it to add new resources through the LA admin tool?

The great thing about LA is that as long as you are passing the right attributes, you only have to pass on your details to service providers in order to ‘add new resources’.

I did have to create a new attribute for OCLC’s Geobase, as they required a particular entitlement string that was relevant to their service only.

The only slightly tricky part is setting up permission sets in the admin tool, as you need to make sure that you are not frivolously sending out  to Service Providers who do not require them. However as long as you send out the affiliated attribute by default LA will work with many SP’s from the word go.

9)      Is the usage stats tool operating?

No. Expected this summer I believe. Can’t wait.

10)   Your general thoughts on the whole process

In terms of setting up and testing LA the whole process is easy. It just runs.

The major difficulty was often centred around discovery. We quickly realised that students generally do not access our resources by visiting the Library website. Instead, students would often use OpenURL linking via Google Scholar, click on links from courses in the VLE or visit service providers directly. As a result we heavily promoted our website as the place to visit to discover our resources and this has worked to a certain extent.

However it won’t be until the launch of University portal before we can have the confidence that we are reaching our users. The will provide a central location where students can make tution and housing payments, access email, Blackboard, as well as accessing our electronic resources. This will involve linking LA with our own implentation of OpenAthens SP so that students only have to log-in once in order to access all of their campus services.

The other difficulty was that only senior department members can send out all staff/student emails. That meant that despite my contact details being published in the email in case of queries, users would always tend to reply to the sender. This meant that our Head Librarian would recieve copious amounts of emails from confused users, who would ask questions on any Library related topic. This meant that even the task forwarding them on took some time to complete.

If I was to do a similar project then I would organise emails to be sent via a ‘no reply’ type alias. If this is not possible then a rule should be set-up in Outlook to forward all emails with a particular subject heading to the correct person.

Tags: Athens, eduserv, la 2.0, local authentication

Last year we began “Project Shibboleth”, which was set-up to discuss a possible transition away from OpenAthens MD (classic Athens) authentication to our electronic resources. This project quickly became known as ‘Single sign-on’ once we were aware of all our options, as well as feedback we had recieved from Shibboleth run institutions.

We have been running Eduserv’s LA 2.0 as our IDP for over six months now, taking us from the BETA product right through to the full release. The project did begin very slowly, mainly down to fact that we were all so new to the world of identity management, having used OpenAthens MD/IP authentication since the beginning of time.

I am impressed at how easy LA 2.0 has been to set-up and maintain. Our computing services department install all of the regular updates now, whilst I log-in to the admin console when needed to configure attributes and settings.  Our Active Directory did have to be cleaned up however, making sure that leavers are removed quickly and that LA can differenciate between staff/students/affiliates.

Once these issues were ironed out, OCLC’s GEOBASE was the only database which required LA to send out a specific affiliated attribute to be sent out, taking just minutes to set-up. Otherwise the default release of attributes was set-up at the very beginning and has not been touched since. The system just works.

For a full (colour coded) list of electronic resources that work with LA 2.0, visit here.

The main difficulties I did experience were with service providers, who were not aware of LA. I instead began to refer to our IDP as Shibboleth, to cut down the amount of confusion when providers referred to the fact that we already had Athens authentication set-up.

After registering our ‘Live’ install of LA with the Federation, the real hard work begins. We have chosen April 5th as the official changeover date when the Library removes all mention of Athens, instead forcing (where we can) students and staff to log-in via our new single sign-on service. This has involved regular all staff/student emails, blog updates, as well a published panel on the ‘MyAthens’ page warning of the changeover. There will also be some work during the summer to provide better ways in which students discover our resources.

It is seen that the change will have limited implications for our users, however Refworks users will have to migrate their data between accounts. In order to cope with this I have emailed all Refworks users, sending them directly to a video tutorial on our Library blog.

The success of our project has resulted in Eduserv basing a case study on us, and I have been invited to discuss our experiences at a series of Athens workshops throughout March.

Tags: Athens, Authentication, bath spa, shibboleth

Posted on the Bath Spa Shibboleth project WIKI:

Yesterday I attended an Access Management Federation event in Bristol. The Federation promotes the use of the Shibboleth framework after the JISC withdrew its funding for Athens in July 2008.

One of the most useful documents provided on the day was the Uk Federation Quick Reference Guide, which presents an overview of useful documents available to Librarians and IT staff, from making a business case to installing and setting up your institution as an identity provider. Below is a URL to all of these resources:

http://www.ukfederation.org.uk/content/Documents

A lot of this information is highly useful; there are case studies of institutions that have implemented Shibboleth as well as technical documents detailing the installation method of Shibboleth.

Another superb resource is Janet’s EdLab, a portal containing a variety of media on a range of topics to support their events, as well as a discussion forum for users. The Federation now has its own dedicated space on the site, with a wide range of discussion and document download opportunities surrounding Shibboleth implementation.

One important point that came out of the event was how Shibboleth can benefit institutions as a whole. It has been easy thus far for me to consider single sign-on only as a direct benefit to Library services. However at Bath Spa there are many different systems that may benefit from the security that Shib provides. For example the University has been looking at a repository for some time. Once implememented, Shibboleth could be used to provide access for other institutions that may need to get involved. I understand also that our VLE is hosted elsewhere; Shib could control the amount of information on students that is transferred off campus for authentication.

By joining the Federation and opting with Shibboleth we are agreeing with the rules of membership. As a result we are required to consider how well we deal with personal data at the University:

all and any Data, when provided to the Federation Operator or
another Member (as the case may be), are accurate and up-todate
and any changes to Metadata are promptly provided to the
Federation Operator;

We should have the system in place to make sure that the information we hold is accurate an up to date; does the SITS system at the University update active directory? Many IT professionals at the event talked about the ease in which a simple script can update active directory via an export from an enrolment system.

A major theme was to consider how students/staff will be authenticated to use external resources. From the Library’s point of view we would need a service provider to be able to dicipher between user groups, as some resources are only available to staff at the University. If you the University continues to expand we may also need to assertain the school that as student belongs to. Service providers would also like to assertain whether a student is viable to access a resource, i.e enrolment may have taken place but the student is yet to pay tuition!

There may also need to be some change in our own authentication culture. The set-up of a single sign-on means that students and staff use only one username/password to access a very wide range of systems. As a result we may have to review how often passwords are changed at the University, as authentication relies so heavily on this one log-in.

From a technical point of view there were some interesting discussions, some of which I didn’t understand! However there exists a simple Windows (wizard-like) installer to set-up Shibboleth in a Windows environment, through which installation was presented as easy. This installs Shib 1.3 and therefore may only be useful for testing, as the federation has now moved on to support Shib 2.0. Apparently an installer for Shib 2 is being developed in the open source community. It was unclear whether Shib can run on Windows server 2008, so we may need to discuss whether this will become an issue.

Overall the Federation provided a clear message: if you choose to install Shibboleth they will hold our hand and support us through every step of implementation. If we opt for a third party solution (i.e OpenAthens LA 2.0), we are on our own!

The next step for me is to work out how many of our Electronic subscriptions are ‘Shibbolised’, as this will give us a very clear indication of how essential this project is overall.

Tags: Athens, Authentication, shibboleth

I travelled to Birmingham on Wednesday for an event introducing Eduserv’s new single-sign on product, OpenAthens LA 2.0.

The slides for the event:

The product was presented as a sequel to AthensDA (Devolved Authentication), launched in 2002, well used by Universities/ FE Colleges in the UK.

Some important points that were brought up at the conference:

1. Currently only 40% of electronic resource providers in the UK support Shibboleth, causing a great deal of complication for Shibboleth as a single-sign on solution.
2. Statistics are almost non-existent in Shibboleth. Librarians/ IT staff currently have to make sense of the endless log data in order to work out how often their resources are accessed.
3. AthensDA is still used by Universities alongside Shibbleth in order to connect to resources that Athens authenticated only. As a result IT departments are required to implement an interoperability between the two technologies.

Realistically the disadvantages of Shibboleth should be short term. As the product is now widely used as well as open source, there will likely be developments to enable librarians to manipulate data easily. In the long term it is highly likely that the amount of service providers will increase rapidly due to support and pressure from the JISC.

OpenAthens LA 2.0 really interested me as a product. The message throughout was fairly consistent: if you have an LDAP server / Windows environment, the product will run without issue. It requires two parts of the system to be hosted internally, including the main set-up of the system as well as the admin side hosted on a web server so that changes can be made remotely. The admin system did seem fairly complicated to use and therefore may require IT to become much more involved in the early stages of use. Eduserv however were confident that this system will be much more simpler when available for release.

The statistics side is a real treat though, as it allows Librarians to use the comprehensive process they are already used to with classic Athens. The system also caters for Libraries who need to set-up quick accounts so that walk-in users can access electronic resources. With Shibboleth this would involve setting up a temporary entry in the Active Directory, clearly not a solution for many institutions!

Overall I think we should consider this as a viable alternative. Over the coming years many of our electronic providers may choose to provide Shibboleth only authentication, in which case moving over to this framework would be much more important. But if many institutions begin to choose this product over Shibboleth in the short term, why would service providers seek to spend money on Shibboleth?

I would welcome any comments on this as I am an authentication noob, starting out a career in digital resource Librarianship.

Tags: Athens, Authentication, shibboleth