Hi Jeff,
You're right to point out that this feature has a limited scope. I've only been
looking at the public library case, where Evergreen is the identity provider.
That's the current feature that we at OpenAthens have been asked to contribute
to Evergreen for the benefit of Georgia Public Libraries and any other public
library consortia that are also OpenAthens customers.
For the type of post-secondary case you describe, OpenAthens can already be
configured to authenticate against other identify providers, such as Active
Directory. What's missing is being able to configure Evergreen to authenticate
against either Active Directory locally, or against OpenAthens, which in turn
authenticates against whichever identity provider is configured for a
particular library. I think adding new ways of authenticating into Evergreen
should be treated as separate features. They are quite different from this
feature, which is about using Evergreen to authenticate into another system.
That's not to say the OpenAthens team would never contribute a separate feature
for authenticating into Evergreen using OpenAthens, or provide help to someone
else who wants to take it on - just to make clear that it's not in scope for
the current round of work that's been triggered by the GALILEO single sign-on
project.
Going back to the feature for using Evergreen to authenticate into OpenAthens,
and to answer your second question, a single OpenAthens domain per Evergreen
instance is certainly simpler to implement, and is the solution preferred by
OpenAthens. If the consortium needs partitioning between libraries within
OpenAthens, we propose that the top-level administrator for the consortium
would create sub-organisations within the OpenAthens domain, one for each
library, and set up mapping rules to map users into different sub-organisations
depending on their home library setting. Each sub-organisation would have an
associated administrator account that the branch librarian could use to view
their local users and resource usage stats. The ability to set up these
sub-organisations and mapping rules already exists in OpenAthens. Whereas if we
were to implement multiple OpenAthens domains per Evergreen instance, we would
have to develop a similar mapping feature within the Evergreen code. It's not
impossible but is duplicating a feature we already have in OpenAthens. But if
anyone thinks that the proposed way of doing things would be a show-stopper for
the PINES consortium implementation, then we'll have to re-think!
Regards,
Julian
─────
Julian Clementson
Full stack software engineer
On 03/09/2019, 18:48, "Open-ils-dev on behalf of Jeff Davis"
<open-ils-dev-boun...@list.georgialibraries.org on behalf of
jeff.da...@bc.libraries.coop> wrote:
Hi there,
It's exciting to hear that OpenAthens integration is in the works! We
have several libraries that will be very interested. Thanks also for
the detailed proposal and documentation.
I have a couple of questions. The proposal seems to assume that
Evergreen will be the authoritative identity provider, but I think that
often won't be the case for OpenAthens customers. Suppose I'm at a
post-secondary institution that uses a centralized Active Directory
service for single sign-on. I want students to use their SSO
credentials to be able to login to library resources including online
databases and the Evergreen OPAC, so ideally OpenAthens would
authenticate against my institution's Active Directory, not against
Evergreen. The development proposal says that resource-initiated login
must be delegated to Evergreen, which sounds like users would be
authenticated against EG instead of Active Directory. Am I
understanding correctly?
The proposal also says that only a single OpenAthens domain is allowed
for an entire Evergreen consortium. Are there technical limitations
that make this necessary? There will be cases where multiple libraries
sharing the same Evergreen instance will want to have their own
independent OpenAthens setup, but it sounds like the proposal precludes
that.
Thanks again! I'm looking forward to seeing where this goes.
Jeff Davis
BC Libraries Cooperative
On 2019-09-02 3:06 a.m., Julian Clementson wrote:
> Hello everyone,
>
> I'd like to introduce a new feature proposal and ask for your feedback.
>
> Launchpad link - https://bugs.launchpad.net/evergreen/+bug/1842297
>
> The feature will provide integration between Evergreen and OpenAthens, a
> global cloud-based single sign-on service.
>
> The background is that the GALILEO Consortium of libraries in Georgia
> has selected OpenAthens to deliver a state-wide solution for single
> sign-on, and this contract includes integrating Evergreen into
> OpenAthens, so that PINES patrons can seamlessly access
> OpenAthens-authenticated resources.
>
> The OpenAthens development team has been contracted to implement the
> integration on behalf of GPLS, and I've been assigned as the lead
> developer for the project. I demonstrated a proof of concept to selected
> representatives of the Evergreen community and the PINES consortium back
> in July. The aim is to get this feature accepted into an upcoming
> release so that it is ready for PINES to start using towards the end of
> the year.
>
> I have now documented the feature in detail on DocuWiki - see
>
https://wiki.evergreen-ils.org/doku.php?id=dev%3Aproposal%3Aopenathens_integration
>
> I have also published the proposed code changes and documentation,
> subject to community review of course - see
>
https://github.com/openathens/Evergreen/commit/ed85f8f82795e4439315e897438d75e99e0e7cde
>
> I welcome feedback and discussion, so as to improve the feature
> description and get the code into a state where the community is happy
> to accept it.
>
> Thank you and kind regards,
>
> Julian
>
> ─────
>
> *Julian Clementson*
>
> Full stack software engineer
>
> *T*
>
>
>
> +44 (0)20 3998 9178
>
> *W*
>
>
>
> openathens.org <https://openathens.org/>
>
> Open Athens
>
> ────────────
>
> OpenAthens is a Jisc enterprise. Jisc is a registered charity (number
> 1149740) and a company limited by guarantee which is registered in
> England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc's
> registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T
> 0203 697 5800.
>
