MetaLib Authentication and Authorization

1
MetaLib Authentication and Authorization

• Debbie Shalit
• Yale
• September 22nd and 23rd, 2004

2
MetaLib Authentication Authorization

• The goal
• Provide access to licensed and restricted
  resources only to authenticated authorized
  users belonging to the appropriate institution
  and user group

3
MetaLib Authentication Authorization
Authentication user establishes a right to an
identity Are you who you say you are?
4
MetaLib Authentication

• Authentication in MetaLib is via the Patron
  Directory Services (PDS) module
• PDS is an independent module which is integrated
  into Ex Libris products
• Packaged with MetaLib Version 3
• Packaged with DigiTool
• The goal ? enable one central administration
  module across Ex Libris products for user
  authentication delivery of patron attributes

5
What is PDS ? A back end Web application that
provides

• Patron authentication and login
• Delivery of patron information
• SSO Single Sign-On/Sign-Off capabilities for Ex
  Libris products
• SSO- selective or auto sign off from shared
  applications

6
What can PDS do ?

• Work with the institutions local
  authentication server patron database can be
  separate applications on separate servers
• Work in a consortium of several institutions
  each with its own authentication and patron
  database
• Present the login page or redirect the login
  request to a remote login page

7
PDS is installed within MetaLib application
/exlibris/metalib/m3_1
pds
ins01
ins00
vir01
vir00
metalib_conf
jnl01
dat01
A new directory for the Patron Directory Service
8
conf_table directory
m3_1/pds
install_component
service_proc
conf_table
html_form
tab_service defines services required from
PDS sso_conf defines login/logout
flags heading_error.eng defines error messages
9
html_form directory
m3_1/pds
html_form
metalib
global
icon
HTML files icons
10
Accessing PDS
Via MetaLib
Via PDS http//hostnameport/pds
11
Accessing PDS via MetaLib the flow

12
Whats happening behind the scenes?
User initiates login
User accesses MetaLib as guest user
Login request sent to PDS with backlink to retain
context
PDS
13
PDS login or Remote Login?
14
PDS Login the flow
MetaLib sends load login request to PDS with
calling system parameter
user credentials entered
PDS checks tab_service for AUTHENTICATE
program and sends authentication request to
remote target
Remote authentication server sends Y or N
flag
15
PDS Login the flow
PDS Creates PDS session, installs cookie in
users browser sends back to MetaLib callback
URL

MetaLib sends get bor_id request (give me
ID of user) and requests validation of PDS handle
PDS validates handler and provides bor_id,
fetches bor_info as defined in tab_service
MetaLib requests bor_info
16
Remote Login the flow
Y or N flag
PDS redirects login request
Local System
Remote System
Redirection to MetaLib with callback URL
PDS accepts parameters, creates PDS session
and sets cookie in users browser
17
Enable Single Sign On?
Where? . /pds/conf_table/sso_conf

TYPE1 - Enable Single Sign On for defined
applications
Example
LOGON TYPE1 metalib,digitool END
In this example MetaLib DigiTool will share SSO

18
Disable Single Sign On
Where? . /pds/conf_table/sso_conf

TYPE0 Login to Single Application only (MetaLib)
LOGON TYPE0 metalib END
Note When using LOGON TYPE 0, user will
be logged off from MetaLib only
19
Logout Configuration
Where? . /pds/conf_table/sso_conf
Type 1 Enable automatic Sign Off Type 2
Enable selective Sign Off with confirmation
screen
20
tab_service table
Where? . /pds/conf_table/tab_service
21
PDS tab_service remote login
Where? . /pds/conf_table/tab_service In place of
AUTHENTICATE service

INSTITUTE-CODE METALIB SERVICES
LOAD_LOGIN PROGRAM-NAME
remote_load_login.pl
load-login-hvd-pin END INSTITUTE-CODE
METALIB SERVICES
REMOTE_LOGIN PROGRAM-NAME
remote_login_hvd_pin.pl END
22
Configuring Remote Local
Remote and Local authentication
! METALIB ! INSTITUTE-CODE CITYUNIV
SERVICES AUTHENTICATE PROGRAM-NAME
remote_cgi_hook.pl GET,www.metalib.com8
997,aleph-cgi/remote_cgi_hook PROGRAM-NAME      
metalib_x_server.pl    metalib,8331,BOR-AUTH END
!
Remote
Local
23
Example

Authentication and BOR_INFO via MetaLib
Application
24
PDS Cookie

• The PDS cookie is deleted
• when the user logs off
• when the specified timeout has elapsed
• when user closes browser
• The default is 30 minutes currently not used

25
PDS Log
PDS logs can be found in the MetaLib log
directory under ./m3_N/log 
-rw-rw-r-- 1 metalib exlibris 2877394 May 15
1405 pds_server.log
2004-05-09 150918
2004-05-09 150918 PDS_main func
sso 2004-05-09 150918
2004-05-09 150918 THE COOKIE NAME
PDS_HANDLE_metalib and the value 2004-05-09
150918 PDSSso PARAM calling system
metalib 2004-05-09 150918 PDSSso PARAM
handle 2004-05-09 150918 PDSSso
PARAM URL http//10.1.235.438336/V/F
4JADLQ3AEXDY95QCDDKGLP99YSDCLKHPYBD26N4NUERTE44KX-
00004? 2004-05-09 150918 PDSSso DEF handle
GUEST 2004-05-09 150918 PDSSso DEF
institute 2004-05-09 150918 PDSSso RESP
filename /exlibris/metalib/m3_6/pds/html_form/g
lobal/sso-metalib 2004-05-09 150918 PDSSso
RESP handle GUEST 2004-05-09 150918
PDSSso RESP url http//10.1.235.438336/
V/F4JADLQ3AEXDY95QCDDKGLP99YSDCLKHPYBD26N4NUERTE44
KX-00004?
26
HTML Files
Via MetaLib
Browser display
HTML file ./pds/html_form/global
Login
institute-list-metalib
Authorized User
Logoff-confirm
main-menu-logoff-metalib
27
HTML Files
Via PDS
Browser display
HTML File./pds/html_form/global
main-menu-logoff
www.metalib.com/pds
Authorized User
institute-list
main-menu
confirm-logoff
?
28
HTML Files login-metalib
/exlibris/pds/pltcopygt/html_form/global/login-m
etalib The Institution pull-down menu in the
login page takes the names of institutions from
the definitions in the tab_service table
29
MetaLib Authentication Authorization
Authorization user is assigned the right to
access particular resources What are you
entitled to access?
30
MetaLibs fine-grained authorization

• MetaLib can control access based on
• User Institution
• User Group
• IP range
• Resource status (Active/Testing)

31
User and Resource Affiliations

• A user may be affiliated to an institution and a
  user group
• A resource may be available to one or more
  institutions, and one or more user groups
• The user gets a filtered resource list, based on
  matching the resources with his or her
  institution and user group
• IP filtering can be defined as an additional
  layer
• Users may be limited to active or active
  testing resources

32
User Affiliation

• Determines user authentication (institution)
• Determines authorization for access to resources
  (institution, user group)
• Determines which instance of the user interface
  the user accesses (institution)

33
User Affiliation

• MetaLib users may have two levels of affiliation
• institution (mandatory)
• user group (optional)
• The affiliation of registered users is defined
  in the user record (Z312)

34
Guest Affiliation

• Guest users may also have two levels of
  affiliation
• institution (mandatory)
• user group (optional)
• Guest users are affiliated based on their IP
  range
• Defined in table ./vir00/tab/default_z312

35
Guest Users

• Affiliated Guests - guests logging in from within
  the institutions or divisions IP range
• ALL Licensed resources are enabled
• Personal services are not enabled
• Affiliated guests see the institutions user
  interface

36
Guest Users

• External Guests guests logging in from outside
  the institutions IP range
• Resources available for GUEST are enabled
• Personal services are not enabled
• External guests see a default user interface, as
  defined in default_z312
• A special institution may be defined for guests

37
MetaLib key tables
vir00
tab
tab_institute
default_z312
38
default_z312
!ip-from ip-to default user id default
user institute !!!!!!!!!!!!-!!!!!!!!!!!!-!!!!!!!!!
!!!!!!!!!!!-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1440130
00000 144013255255 STOUT-IN
STOUT 143236000000 143236001100 STEVENSPOINT-IN
STEVENSPOINT 143236001102 143236255255
STEVENSPOINT-IN STEVENSPOINT 138049000000
138049255255 LACROSSE-IN
LACROSSE 143200000000 143200255255 GREENBAY-IN
GREENBAY 128104000000 128104024255
MADISON-IN MADISON 000000000000
999999999999 TRAINING-GUEST TRAINING

• Defines the affiliation of guest users by
  specifying the IP range of each institution and
  division
• Last line is catchall for unaffiliated guests
  do not delete!

39
MetaLib key tables
vir00
tab
tab_institute
default_z312
40
tab_institute

• tab_institute for each institution
• Proxy server
• SFX instance

41
tab_institute - Proxy
YALE YUL N IP_AND_IRD_SELECTIVE EZPROXY
http//libproxy.harvard.edu2048/login? http//sfx
.library.yale.edu/ YALE YUL N NO WAM
http//www.proxy-address.com http//sfx.library.ya
le.edu/ YALE YUL N NO WAM http//www.proxy-addr
ess.com http//sfx.library.yale.edu/
42
tab_institute - Proxy
Proxy server setup YES proxy server should
always be used NO proxy server should never be
used IRD_SELECTIVE proxy server is only used
if Proxy Server Flag in IRD is set to
Y IP_SELECTIVE proxy server is selectively
used based on IP of the user IP_AND_IRD_SELECTIVE
proxy server is selectively used based on BOTH
the Proxy Server Flag in IRD, and on IP of the
user
43
tab_institute - Proxy
HAVARD HVD N IP_AND_IRD_SELECTIVE EZPROXY
http//libproxy.harvard.edu2048/login? http//sfx
.harvard.edu/harvard HARVARD HVD N NO WAM
http//www.proxy-address.com http//sfx.harvard.ed
u/hvd
Proxy server type supported proxies EZPROXY WAM
44
tab_institute - Proxy
HARVARD HVD N IP_AND_IRD_SELECTIVE EZPROXY
http//libproxy.harvard.edu2048/login? http//sfx
.harvard.edu/hvd HARVARD HVD N NO WAM
http//www.proxy-address.com http//sfx.harvard.ed
u/hvd
Proxy server address
45
SFX Setup

• Link to each institutions SFX instance in
  MetaLibs user interface
• Link to each institutions SFX admin instance in
  MetaLibs management interface
• Replace SFX Gif with institutions SFX gif if
  applicable ( v-sfx.gif )

46
tab_institute - SFX
HARVARD HVD N IP_AND_IRD_SELECTIVE EZPROXY
http//libproxyharvard.edu2048/login? http//sfx.
harvard.edu/hvd HARVARD HVD N NO WAM
http//www.proxy-address.com http//sfx.harvard.ed
u/uwsp
SFX instance address
47
MetaLib Authentication and Authorization

• Debbie Shalit
• Yale
• September 22nd and 23rd, 2004