dev:proposal:openathens_integration
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
dev:proposal:openathens_integration [2019/08/30 05:54] – created oajulianc | dev:proposal:openathens_integration [2022/02/10 13:34] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 30: | Line 30: | ||
There would also be a new OpenAthens logout URL within Evergreen, which would forward the user to the OpenAthens sign-out page. There would be a system-wide setting that determines whether or not this logout URL is called after OPAC logout. OpenAthens in turn can be configured to send users to any URL after logout, so this can be used to return users back to the OPAC home page after their OpenAthens session has been cleared down. | There would also be a new OpenAthens logout URL within Evergreen, which would forward the user to the OpenAthens sign-out page. There would be a system-wide setting that determines whether or not this logout URL is called after OPAC logout. OpenAthens in turn can be configured to send users to any URL after logout, so this can be used to return users back to the OPAC home page after their OpenAthens session has been cleared down. | ||
- | ==== Configuring the connection between | + | ==== Configuring the connection between Evergreen |
- | OpenAthens will provide | + | It is proposed that a connection between Evergreen and OpenAthens can be created at any level in the organisational hierarchy using library settings. This way, a connection could be created |
- | ==== Organisational hierarchy ==== | + | For each OpenAthens domain, an administrator will have access to the OpenAthens admin portal, where they can create an Evergreen connection from the OpenAthens side. This process generates a unique connection ID, access URL and API key. They then create an OpenAthens library configuration at the appropriate level within Evergreen, using these credentials. |
- | In the same way as Evergreen supports a hierarchy of regional library systems and branches, OpenAthens can be configured with an arbitrary hierarchy of virtual organisations within a consortium' | + | The OpenAthens |
- | + | ||
- | The top-level | + | |
==== User attributes and data protection ==== | ==== User attributes and data protection ==== | ||
- | The Evergreen system | + | The library |
OpenAthens requires two user attributes, but by default both would be satisfied by the numerical database id of the user account. | OpenAthens requires two user attributes, but by default both would be satisfied by the numerical database id of the user account. | ||
* Unique identifier - this should be unique to each user and should not change for the duration of the user’s account. The unique identifier is used by OpenAthens to build the unique identity of each user that is passed to third party resources. By default, Evergreen would use the numerical database id of the user account for this. The system administrator could change it to use the username, on the understanding that this would only be sensible if users’ usernames are never changed. Otherwise if a user’s username is changed when they change their family name for example, this would change their OpenAthens identity and they would lose their previous personal preferences saved on third party resources. Using the numerical database id prevents this because it cannot change. | * Unique identifier - this should be unique to each user and should not change for the duration of the user’s account. The unique identifier is used by OpenAthens to build the unique identity of each user that is passed to third party resources. By default, Evergreen would use the numerical database id of the user account for this. The system administrator could change it to use the username, on the understanding that this would only be sensible if users’ usernames are never changed. Otherwise if a user’s username is changed when they change their family name for example, this would change their OpenAthens identity and they would lose their previous personal preferences saved on third party resources. Using the numerical database id prevents this because it cannot change. | ||
- | * Display name - this is used only within the OpenAthens administrator’s portal | + | * Display name - this is used only within the OpenAthens administrator’s portal, where administrators |
- | Other user attributes, such as first name, family name, email address, and home library would not be released by default. Each one would have a global configuration setting | + | Other user attributes, such as first name, family name, email address, and home library would not be released by default. Each one would have a flag within the library settings |
Regardless of which attributes are released from Evergreen to OpenAthens, OpenAthens will not release them onwards to third party resources unless it is also configured to do so. | Regardless of which attributes are released from Evergreen to OpenAthens, OpenAthens will not release them onwards to third party resources unless it is also configured to do so. | ||
Line 54: | Line 52: | ||
===== Proposed implementation ===== | ===== Proposed implementation ===== | ||
- | ==== Database updates ==== | + | ==== Database |
- | All OpenAthens-specific configuration settings | + | A new type of library setting |
* disable/ | * disable/ | ||
* OpenAthens API key | * OpenAthens API key | ||
Line 63: | Line 61: | ||
* auto-signon - whether to sign patrons into OpenAthens automatically after Evergreen login (flow 2 above) (default true) | * auto-signon - whether to sign patrons into OpenAthens automatically after Evergreen login (flow 2 above) (default true) | ||
* auto-signout - whether to send patrons to the OpenAthens sign-out page after Evergreen logout (default false) | * auto-signout - whether to send patrons to the OpenAthens sign-out page after Evergreen logout (default false) | ||
- | * unique identifier - which attribute of the patron’s account to use as the unique identifier within OpenAthens - options available:* | + | * unique identifier - which attribute of the patron’s account to use as the unique identifier within OpenAthens - supported values: |
* id (default) | * id (default) | ||
* usrname | * usrname | ||
- | * display name - which attribute of the patron’s account to use as the display name for the account within OpenAthens - this will not be released to third party resources - options available:* | + | * display name - which attribute of the patron’s account to use as the display name for the account within OpenAthens - this will not be released to third party resources - supported values: |
* id (default) | * id (default) | ||
* usrname | * usrname | ||
- | * full name (as displayed in OPAC header) | + | * fullname |
* release title - whether to release the patron’s title to OpenAthens (default false) | * release title - whether to release the patron’s title to OpenAthens (default false) | ||
* release first name - whether to release the patron' | * release first name - whether to release the patron' | ||
Line 77: | Line 75: | ||
* release email - whether to release the patron' | * release email - whether to release the patron' | ||
* release organisational unit - whether to release the patron' | * release organisational unit - whether to release the patron' | ||
- | |||
- | *Further research is needed to confirm whether global flags can include selectable options, or whether these would need additional database tables. | ||
==== New URLs ==== | ==== New URLs ==== | ||
The proposed new URLs are: | The proposed new URLs are: | ||
- | * **/eg/opac/openathens/sso** (protected by OPAC login) - endpoint that establishes OpenAthens session. This would handle both flows (1) and (2) as described above | + | * **/ |
- | * **/ | + | * **/eg/opac/sso/ |
Neither of these would serve any content; they would only ever issue temporary redirects. | Neither of these would serve any content; they would only ever issue temporary redirects. | ||
Line 93: | Line 89: | ||
~/ | ~/ | ||
There would need to be a small set of modifications to the core of EGCatLoader.pm to: | There would need to be a small set of modifications to the core of EGCatLoader.pm to: | ||
- | | + | * route the /eg/opac/sso/ |
- | | + | * intercept the login flow to include a redirect to / |
- | * intercept the login flow to include a redirect to /eg/opac/openathens/sso if configured to do so | + | * intercept the logout flow to include a redirect to /eg/opac/sso/ |
- | * intercept the logout flow to include a redirect to / | + | |
===== Documentation ===== | ===== Documentation ===== |
dev/proposal/openathens_integration.1567158877.txt.gz · Last modified: 2022/02/10 13:34 (external edit)