Authentication Using a Cloud Identity Provider
This option was introduced in Alma November 2016 release but was later put on hold as of Alma December 2016 release to allow further discussions with the users community before going live.
An institution that does not have an institutional identity provider can choose to subscribe to a cloud identity providers such as Azure Active Directory
Cloud identity providers are easy to implement, provide wide support for authentication protocols (such as SAML and two-factor authentication), and offer secure web login and change password functionality.
Since cloud identity providers support SAML, Alma can be configured to authenticate using a standard SAML integration profile
. Users that are authenticated in a cloud IDP are usually defined as internal users
in Alma, meaning that the user is created and managed in Alma.
In addition to standard authentication, Alma integrates further with some certified cloud identity providers. For those providers, Alma will automatically synchronize user accounts as they are maintained in Alma. The creation of a user account in Alma will trigger creation of the user in the cloud identify provider with a default password and an email will be sent to the user with login and password change instructions. From that point in time, all password updates or changes are done only via the cloud identity provider. Updates to the user details will be done in Alma and synchronized automatically with the cloud identity provider.
Note: An institution that chooses a non-certified cloud identity providers can use it for authentication, but will need to create and update the users in both Alma and the identity providers independently.
The following steps are required in order to allow authentication using a Cloud IDP:
- Register to the cloud IDP and create an account.
- Configure the cloud IDP to allow access of web services from Alma.
- Define a SAML integration profile in Alma using the details from the cloud IDP.
- Define a Cloud IDP integration profile in Alma using the details from the cloud IDP.
Migrating existing users to cloud IDP
After a cloud IDP profile is defined in Alma, new Alma users will automatically be created in the cloud IDP as well.
In order to create account in the cloud IDP for existing Alma users, the following might be done:
- For a specific user: using the "Send message" - "Social login mail" from the user management Alma UI
- For a group of users: using the "update and notify users" job, with the "Export to Cloud IdP" option (Note that this option will be supported as of the Alma November 2016 release)
See Cloud IDP related blogs, for detailed description for specific Cloud IDP providers.