Evergreen DokuWiki

User Tools

Site Tools

You are here: start » dev » proposal » openathens_integration
dev:proposal:openathens_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dev:proposal:openathens_integration [2019/08/30 06:05] oajuliancdev:proposal:openathens_integration [2022/02/10 13:34] (current) – external edit 127.0.0.1
Line 30: Line 30:
 There would also be a new OpenAthens logout URL within Evergreen, which would forward the user to the OpenAthens sign-out page. There would be a system-wide setting that determines whether or not this logout URL is called after OPAC logout. OpenAthens in turn can be configured to send users to any URL after logout, so this can be used to return users back to the OPAC home page after their OpenAthens session has been cleared down. There would also be a new OpenAthens logout URL within Evergreen, which would forward the user to the OpenAthens sign-out page. There would be a system-wide setting that determines whether or not this logout URL is called after OPAC logout. OpenAthens in turn can be configured to send users to any URL after logout, so this can be used to return users back to the OPAC home page after their OpenAthens session has been cleared down.
  
-==== Configuring the connection between OpenAthens and Evergreen ====+==== Configuring the connection between Evergreen and OpenAthens ====
  
-OpenAthens will provide top-level administrator account for a consortium to use to manage everything connected with its own private domain within the OpenAthens service. The person using this account would be the Evergreen top-level system administrator. They will use this account to configure the Evergreen connection from the OpenAthens sideThis process generates unique connection IDaccess URL and API key. They then enter these credentials into OpenAthens-specific global settings within Evergreen. This configuration would be global for the whole Evergreen installation, and so would appear under global flags. A single Evergreen install would only support one connection into single OpenAthens domain. Howeversee 'Organisational hierarchy' below.+It is proposed that connection between Evergreen and OpenAthens can be created at any level in the organisational hierarchy using library settings. This way, a connection could be created for an individual library, regional library system or for the whole consortiumwith settings being inherited down the hierarchy as for other library settings. The choice of where in the hierarchy to create a connection will depend on how the libraries subscribe to the OpenAthens serviceIf the whole consortium using Evergreen is single OpenAthens customer sharing a single OpenAthens domain, then the connection would be created at the top level; if only some individual libraries are OpenAthens customers, or each library in consortium has its own OpenAthens domain, a connection would be created for each library in their own library settings.
  
-==== Organisational hierarchy ====+For each OpenAthens domain, an administrator will have access to the OpenAthens admin portal, where they can create an Evergreen connection from the OpenAthens side. This process generates a unique connection ID, access URL and API key. They then create an OpenAthens library configuration at the appropriate level within Evergreen, using these credentials.
  
-In the same way as Evergreen supports a hierarchy of regional library systems and branches, OpenAthens can be configured with an arbitrary hierarchy of virtual organisations within a consortium's domain. The top-level OpenAthens administrator for the consortium would build a hierarchy within OpenAthens that matches their library branch hierarchy. It would then be possible to configure OpenAthens to map patrons into different virtual organisations depending on their Evergreen organisational unit attribute. OpenAthens already supports this kind of organisational mapping, so there is no need to develop it within Evergreen as part of this feature. +The OpenAthens portal also allows the administrator to view details of which patrons have signed inand view statistics around access to third party resources.
- +
-The top-level administrator would create lower-level OpenAthens administrator accounts for librarians in each region or branch as required. Librarians in each region or branch could use this account to configure a different set of OpenAthens resources for their patrons, depending on their locally purchased resource subscriptions. They could also use it to view account usage and resource access statistics just for their own patrons.+
  
 ==== User attributes and data protection ==== ==== User attributes and data protection ====
  
-The Evergreen system administrator will be able to configure which user attributes are released to OpenAthens, according to their own data protection policy. For example, they could allow the user's given name to be released, but not their family name or email address. Or they could choose not to release any personal details at all. By default, only a single unique user identifier would be released. OpenAthens uses this identifier to create a unique identity for each user that is passed to third party resources. This is so that the resource can uniquely identify each user and allow them to save preferences, reading lists, etc., even if it does not know their name.+The library administrator will be able to configure which user attributes are released to OpenAthens, according to their own data protection policy. For example, they could allow the user's given name to be released, but not their family name or email address. Or they could choose not to release any personal details at all. By default, only a single unique user identifier would be released. OpenAthens uses this identifier to create a unique identity for each user that is passed to third party resources. This is so that the resource can uniquely identify each user and allow them to save preferences, reading lists, etc., even if it does not know their name.
  
 OpenAthens requires two user attributes, but by default both would be satisfied by the numerical database id of the user account. OpenAthens requires two user attributes, but by default both would be satisfied by the numerical database id of the user account.
Line 48: Line 46:
   * Display name - this is used only within the OpenAthens administrator’s portal, where administrators can view virtual accounts that have been created and how they have been used. It is not passed to third party resources. By default, this would also be populated with the numerical database id of the user account, but the system administrator could change it to use the username, or the calculated full name in the same format as displayed in Evergreen. If the chosen attribute of the user is changed in Evergreen it will also change in OpenAthens the next time they sign in, but this will not affect their personalised settings on third party resources.   * Display name - this is used only within the OpenAthens administrator’s portal, where administrators can view virtual accounts that have been created and how they have been used. It is not passed to third party resources. By default, this would also be populated with the numerical database id of the user account, but the system administrator could change it to use the username, or the calculated full name in the same format as displayed in Evergreen. If the chosen attribute of the user is changed in Evergreen it will also change in OpenAthens the next time they sign in, but this will not affect their personalised settings on third party resources.
  
-Other user attributes, such as first name, family name, email address, and home library would not be released by default. Each one would have a global configuration setting to enable it if required. The home library attribute would have to be enabled if the librarian wants to map patrons into different OpenAthens virtual organisations.+Other user attributes, such as first name, family name, email address, and home library would not be released by default. Each one would have a flag within the library settings to enable it if required. The home library attribute would have to be enabled if the librarian wants to use it to map patrons into different sub-organisations within their OpenAthens domain.
  
 Regardless of which attributes are released from Evergreen to OpenAthens, OpenAthens will not release them onwards to third party resources unless it is also configured to do so. Regardless of which attributes are released from Evergreen to OpenAthens, OpenAthens will not release them onwards to third party resources unless it is also configured to do so.
Line 54: Line 52:
 ===== Proposed implementation ===== ===== Proposed implementation =====
  
-==== Database updates ====+==== Database / Staff client updates ====
  
-All OpenAthens-specific configuration settings would be system-wide. The following would be added to global_flags, in a new 'openathens' namespace:+A new type of library setting would be created for OpenAthens integration, with the following fields:
   * disable/enable OpenAthens integration completely (default false)   * disable/enable OpenAthens integration completely (default false)
   * OpenAthens API key   * OpenAthens API key
Line 63: Line 61:
   * auto-signon - whether to sign patrons into OpenAthens automatically after Evergreen login (flow 2 above) (default true)   * auto-signon - whether to sign patrons into OpenAthens automatically after Evergreen login (flow 2 above) (default true)
   * auto-signout - whether to send patrons to the OpenAthens sign-out page after Evergreen logout (default false)   * auto-signout - whether to send patrons to the OpenAthens sign-out page after Evergreen logout (default false)
-  * unique identifier - which attribute of the patron’s account to use as the unique identifier within OpenAthens - options available:*+  * unique identifier - which attribute of the patron’s account to use as the unique identifier within OpenAthens - supported values:
     * id (default)     * id (default)
     * usrname     * usrname
-  * display name - which attribute of the patron’s account to use as the display name for the account within OpenAthens - this will not be released to third party resources - options available:*+  * display name - which attribute of the patron’s account to use as the display name for the account within OpenAthens - this will not be released to third party resources - supported values:
     * id (default)     * id (default)
     * usrname     * usrname
-    * full name (as displayed in OPAC header)+    * fullname (as displayed in OPAC header)
   * release title - whether to release the patron’s title to OpenAthens (default false)   * release title - whether to release the patron’s title to OpenAthens (default false)
   * release first name - whether to release the patron's first name / preferred first name to OpenAthens (default false)   * release first name - whether to release the patron's first name / preferred first name to OpenAthens (default false)
Line 77: Line 75:
   * release email - whether to release the patron's email address to OpenAthens (default false)   * release email - whether to release the patron's email address to OpenAthens (default false)
   * release organisational unit - whether to release the patron's home library to OpenAthens (default false)   * release organisational unit - whether to release the patron's home library to OpenAthens (default false)
- 
-*Further research is needed to confirm whether global flags can include selectable options, or whether these would need additional database tables. 
  
 ==== New URLs ==== ==== New URLs ====
  
 The proposed new URLs are: The proposed new URLs are:
-  * **/eg/opac/openathens/sso** (protected by OPAC login) - endpoint that establishes OpenAthens session. This would handle both flows (1) and (2) as described above +  * **/eg/opac/sso/openathens** (protected by OPAC login) - endpoint that establishes OpenAthens session. This would handle both flows (1) and (2) as described above 
-  * **/eg/opac/openathens/logout** - this would redirect to the OpenAthens sign-out page.+  * **/eg/opac/sso/openathens/logout** - this would redirect to the OpenAthens sign-out page.
  
 Neither of these would serve any content; they would only ever issue temporary redirects. Neither of these would serve any content; they would only ever issue temporary redirects.
Line 93: Line 89:
   ~/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/OpenAthens.pm   ~/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/OpenAthens.pm
 There would need to be a small set of modifications to the core of EGCatLoader.pm to: There would need to be a small set of modifications to the core of EGCatLoader.pm to:
-  * load the OpenAthens configuration settings +  * route the /eg/opac/sso/openathens/* URLs to the new submodule 
-  * route the /eg/opac/openathens/* URLs to the new submodule +  * intercept the login flow to include a redirect to /eg/opac/sso/openathens if configured to do so 
-  * intercept the login flow to include a redirect to /eg/opac/openathens/sso if configured to do so +  * intercept the logout flow to include a redirect to /eg/opac/sso/openathens/logout if configured to do so
-  * intercept the logout flow to include a redirect to /eg/opac/openathens/logout if configured to do so+
  
 ===== Documentation ===== ===== Documentation =====
dev/proposal/openathens_integration.1567159558.txt.gz · Last modified: 2022/02/10 13:34 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

© 2008-2022 GPLS and others. Evergreen is open source software, freely licensed under GNU GPLv2 or later.
The Evergreen Project is a U.S. 501(c)3 non-profit organization.