Migration to the Ex Libris Identity Service
As part of Ex Libris' continuing efforts to follow security and data privacy best practices, we announced in September 2016 plans to move toward the use of external-only password management in Alma. This shift would affect customers’ ability to authenticate internal users (patron and staff accounts defined completely in Alma and not in the institution's identity provider) using passwords stored within Alma. Following that announcement we worked with the ELUNA/IGELU Authentication Focus Group to explore and define methods of authentication which meet the goals of security and adherence to best practices, while at the same time continue to answer the management requirements of institutions. As a result of that joint work, Ex Libris has decided to introduce an Ex Libris Identity Service that will be based on a dedicated identity management solution, meeting strict security and authentication standards. This new Ex Libris Identity Service will replace the internal authentication / passwords method used today by live Alma customers and all existing customers will be migrated to this service.
What is the “Ex Libris Identity Service”?
In Alma user management, “internal users” are users who are created and managed in Alma, rather than an external system such as a Student Information System. Alma will continue to support internal users. However, until now passwords for internal users were stored in Alma along with the users’ record. Going forward, internal users’ passwords will be stored in the “Ex Libris Identity Service,” a commercial, best-of-breed identity provider application hosted by Ex Libris in its data centers.
How much will it cost to use the Ex Libris Identity Service?
The new service will be offered in two options:
- Standard Service – this service will be included in the standard Alma annual subscription fee (no additional charge) and will allow the institution to authenticate up to 5,000 internal users.
- Premium Service – this service will be an optional cost offering and will allow the institution to authenticate unlimited number of internal users. This option is designed to provide an effective solution to institutions without any identity management service that prefer not to use the other authentication methods.
– existing Alma customers and customers that will sign their contract before June 30, 2018 will receive the premium service at no additional fee as part of the transition process to the new service.
Where will the “Ex Libris Identity Service” be hosted?
The “Ex Libris Identity Service” will be hosted in the Ex Libris Cloud. Each region will have its own instance of the service located in the applicable regional data center. The service will be deployed in a high-availability topology and will be managed and maintained by Ex Libris Cloud Services.
Does this change affect any other authentication methods?
All other existing authentication methods will remain unchanged. These include LDAP, SAML, CAS, Social, and login via email. The existing authentication methods are all described in the Developer Network.
Which users will be affected by this change?
Only internal users that login to Alma or Discovery (Primo, Summon) using passwords that are stored in Alma will be affected. External users managed in other systems will not be affected, nor will internal users who login using social login or login via email.
What information will be stored in the “Ex Libris Identity Service”?
Only the user’s password will be stored in the “Ex Libris Identity Service.” All other data will remain with the user’s record in Alma.
Which authentication scenarios will be affected by this change?
All authentication scenarios will be affected by this change and will use the Ex Libris Identity Service, including:
- Staff login to Alma,
- Patron login to Discovery, including Primo, Primo VE, and Summon over Alma,
- SIP2/NCIP/REST API Authentication (for authenticating with other library systems, i.e. resource sharing scenarios).
Do we have to use the new Ex Libris Identity Service?
No. the institution can choose to use other authentication methods with the internal users such as social login or login via email.
Can we use the Ex Libris Identity Service with other institutional systems?
No. Ex Libris Identity Service was designed to be used with internal users in Alma. Institutions are not able to use it to facilitate authentication or Single-Sign-On (SSO) with other institutional systems.
Can we "mix" authentication methods?
Yes. For example, some internal users can authenticate using social login while other can authenticate using the new Ex Libris Identity Service.
How will this change affect our internal user’s login workflow?
The migration of existing live customers to the “Ex Libris Identity Service” will be as transparent to users as possible. The first time a user logs into Discovery or Alma after the service is launched, the user’s password will be automatically migrated out of Alma and into the service. Users whose passwords do not meet the unified password strength policy will be asked to update their password as a part of their first login to Alma or Discovery.
What will happen to users who did not login during the migration period?
The procedure described above will be in effect for the duration of the migration period, which is one year following the launch of the service. Following the migration period, the passwords of any internal users who have not logged in to Alma or Discovery will be removed from Alma. Those users who wish to login after the migration period will be able to create a new password in one of two ways:
Using a “Forgot my password” link from Alma or Discovery; Alma will send an email with password reset instructions to the email address associated with the user
A user’s password can be reset by a librarian using Alma
What will be changed in terms of password management?
A single password strength and lockout policy will be enforced for all institutions using the “Ex Libris Identity Service.” The policy will be set in accordance with industry-standard best practice and based upon the recently updated NIST Digital Identity Guidelines.
Will the new Ex Libris Identity Service have a separate admin application?
No. library staff will be able to manage passwords for internal users from within Alma in the same way these passwords are managed today. Passwords managed in Alma are stored in the Identity Service. When a user is deleted or purged from Alma, the password is removed from the Identity Servicee
What do we need to do in order to prepare for this change?
The migration process will include a dedicated screen for password update, and an email which will be sent to users. During the development and rollout process, these screens and letters will be announced in the Alma release notes. You will be able to customize them as is possible for other patron-facing screens and letters in Alma.
My implementation project is taking place during 2018. Will anything change as a result of this new service?
Implementation projects will not be affected by the migration to the new service. Until the new Ex Libris Identity Service is launched, all implementations will be able to use the existing methods including storing passwords within Alma. Once the new service is launched passwords stored in Alma will be migrated as described above.
What is the timeline for this change?
Development of the “Ex Libris Identity Service” will take place during the first half of 2018. During the second half of 2018 Ex Libris will be conducting tests with select pilot customers. The service is planned to be fully deployed and operational by the end of 2018. For now there is nothing you need to do. As we move forward with the development, we will provide more detailed information and documentation concerning this new service.
Our Primo offers patrons a choice of login methods. Will there be an option for the Ex Libris Identity Service?
Since the Identity Service replaces logging in with passwords stored in Alma, there will not be a new authentication option in Primo. The existing login with Alma method will transparently use the Identity Service.