Skip to main content

Universal Access to Library Resources: Single page guide

how the library provides access to subscription content that is hosted remotely.

Single page guide

The library selects and provides access to many scholarly resources. We are now able (with support from ITS) to provide access to all of our resources, on any device, from anywhere in the world. This is what is meant by "universal access."

Our content providers (vendors) want to restrict access to members of organizations that have paid their bills...but keeping track of thousands of people in those thousands of organizations is beyond reason. It falls back upon us, the customer, to negotiate a means of authentication which involves proving that you are a member of an organization that is entitled to access.

Authentication

"We are who we pretend to be, so we must be careful who we pretend to be"
-Kurt Vonnegut, Mother Night

IP recognition

IP recognition has long been the preferred method of authentication…​vendors recognize the IP address in our HTTP request headers and accept it as proof of membership. This is imperfect as it doesn’t prove an individual's membership in an organization. At best it identifies a host computer as belonging to an organizational range of IP addresses. Aside from possible hacking exploits, this method also provides access to anyone that happens to be on campus for any reason. including those who visit our campus expressly for that purpose.

It is not ideal for us, either. We may add to or change our range of IP addresses. In this case every vendor that uses IP recognition must be informed of the change. There is an IP registry to help with this, but not every vendor utilizes it.

Virtual Private Network (VPN)

A VPN assigns an organizational IP address to a member located off-campus. The member authenticates with the VPN once to gain the benefit of IP recognition. All traffic is routed through the organization’s network.

A VPN requires special software to connect on the network level, i.e., so that all traffic is routed through the VPN. Installing the software has proven to be a barrier for some users.

Union College's VPN

Proxy Servers

A proxy server is similar to a VPN, authentication is required, and traffic is routed through the host. No additional software is required. But, unlike the VPN, each remote resource must be configured. It is necessary to prepend the resource URL with the proxy URL, i.e.,

https://libproxy.union.edu/login?url=https://resource.example.com

to force proxy authentication. Since our users are unaware of this we try to direct them to a gateway such as Schaffer Library's AZ list.

 

The remote hostnames are rewritten by the proxy so that all further traffic is resolved and routed through it, i.e.,
https://database-proquest-com.libproxy.union.edu
If a proxied URL is shared with another member that has not yet authenticated it may not work properly. A knowledgeable user can "scrub" the url, by removing ".libproxy.union.edu" from the end and replace the remaining dashes ("-") with dots (".")

VPNs and Proxy Servers are extensions of IP authentication. They enable access to library resources from off-campus by routing IP traffc through the Union network.

Shibboleth and Single Sign On (SSO)

Shibboleth is a name given to various means of recognizing a member or "insider." In the digital world it involves delivering a token to the authenticated member that will be accepted as valid proof of identity by any other shibboleth aware resource. It has been around for many years but recently has become more widely adopted due to HTML5 and the ubiquity of the http protocol. The browser cookie API is used to hold the shibboleth token.

Shibboleth is not only more secure but provides a proof of identity that IP based authentication can not. For example, the Wall Street Journal requires our members to authenticate via shibboleth just once a year in order to prove continued affiliation with Union College.

Shibboleth provides a higher level of security through encrypted exchanges with a remote application and a third party identity provider (IdP). These exchanges are XML based "assertions" using the Security Assertion Markup Language (SAML). The remote resource requires us to assert "Where Are You From" (WAYF), manually through a "Login via Your Institution" link. We select "US Higher Education (Incommon Federation)", then "Union College." The remote application can then get a copy of our metadata from Incommon. The metadata includes our IdP in the form of a URL endpoint. The endpoint is returned to our browser which uses it to authenticate to. If our username and password are valid the IdP returns a token to the browser which will provide access to any shibboleth enabled resource for the remainder of the session.

It may seem odd that we need a remote resource to tell us where our IdP is located. But trusted third parties such as Incommon provide a higher level of security through their dedication to specific tasks. The remote resource trusts Incommon more than us to provide our IdP and we trust our IdP more than the remote resource to managing our credentials. The extra back and forth enables us to use our familiar Union credentials and we only sign on once.
 
SAML

Wayfless URLs

We have finally arrived at WAYFless URLs, the sliced bread of authentication. Identifying Where Are You From through a "Login via Your Institution" link can be tedious. First you must find the link, then negotiate a long list. They encode all the information needed for shibboleth authentication without any effort or knowledge by the user. The three elements needed are the remote application's endpoint, your IdP endpoint and your destination. It may look like this:

https://sso.example.com/Shibboleth.sso?  +  entityID=https://sso.union.edu/idp/shibboleth  +   &destination=https://resource.example.com
Table 1. Real world examples of WAYFless URLs
Alexander Street Press
The same URL can be used for every Alexander Street resource if you substitute the database code. In this url the code is afso for American Film Scripts Online. Other codes can be found here.

https://shibboleth-sp.prod.proquest.com/Shibboleth.sso/DS?SAMLDS=1&target=https://search.alexanderstreet.com/afso&entityID=https://sso.union.edu/idp/shibboleth

Archives Unbound
The same URL can be used for every Archives Unbound resource if you substitute the database code. In this url the code is 3FIW for Alexander III and the Policy of Russification, 1883-1886. Other codes can be found here.

https://link.gale.com/apps/collection/3FIW/GDSC?u=nysl_ca_unionc&sid=GDSC

ARTstor

https://shibbolethsp.jstor.org/start?entityID=https://sso.union.edu/idp/shibboleth&site=artstor&dest=%2F

Chadwyck
The same URL can be used for most Chadwyck resources if you substitute the database code. In this url the code is C19INDEX for the 19th Century Index. I have yet to find the other codes listed, but I have tested AABD and it works. It needs to be substituted in two places.

http://shibboleth2.chadwyck.co.uk/shibbolethlogin?product=C19INDEX&location=US&returnpage=http://c19index.chadwyck.com&forward=/home.do&entityId=https://sso.union.edu/idp/shibboleth

EBSCOhost
The same URL can be used for most EBSCOhost resources if you substitute the database code. In this url the code is aph for Academic Search Premier. Other codes can be found here.

https://search.ebscohost.com/login.aspx?profile=ehost&defaultdb=aph&authtype=shib&custid=s5179723

Elsevier Science Direct

https://auth.elsevier.com/ShibAuth/institutionLogin?entityID=https://sso.union.edu/idp/shibboleth&appReturnURL=https://www.sciencedirect.com

Gale
The same URL can be used for most Gale resources if you substitute the database code. In this url the code is ITOF for Gale General OneFile. Other codes can be found here.

https://infotrac.gale.com/itweb/nysl_ca_unionc?db=ITOF

JSTOR

https://shibbolethsp.jstor.org/start?entityID=https://sso.union.edu/idp/shibboleth&site=jstor&dest=%2F

Proquest
The same URL can be used for most Proquest resources if you substitute the database code. In this url the code is abicomplete for ABI Complete. Like Chadwyck I have yet to find the list of codes, but if you go their sites and use the resource it will be in the URL.

https://search.proquest.com/abicomplete/shibboleth?accountid=14637