Ex Libris Identity Service
In Alma user management, “internal users” are users who are created and managed in Alma, rather than an external system such as a Student Information System.
Internal users might be authenticated using social login or email-based login. In addition, Alma supports the option of adding passwords to internal users. In this case, the password will be stored in the “Ex Libris Identity Service”, a commercial, best-of-breed identity provider application hosted by Ex Libris in its data centers. Library staff can manage passwords for internal users from within Alma. Passwords managed in Alma are stored in the Identity Service. When a user is deleted or purged from Alma, the password is removed from the Identity Service.
The “Ex Libris Identity Service” is hosted in the Ex Libris Cloud. Each region has its own instance of the service located in the applicable regional data center. The service is managed and maintained by Ex Libris Cloud Services. Production and Sandbox users are managed separably in the “Ex Libris Identity Service”. This means that changing an internal user’s password in a sandbox environment will not affect the production user.
Note that only the user’s password will be stored in the “Ex Libris Identity Service”. All other data is part of the user’s record in Alma. Any Alma user Identifier (Primary or additional ID) can be used for authentication, along with the password.
The “Ex Libris Identity Service” is designed to be used with internal users in Alma. Institutions are not able to use it to facilitate authentication or Single-Sign-On (SSO) with other institutional systems.
The “Ex Libris Identity Service” is offered in two options:
- Standard Service – this service is part of the standard Alma annual subscription fee (no additional charge), allowing the institution to authenticate up to 5,000 internal users.
- Premium Service – this service is an optional cost offering, allowing the institution to authenticate an unlimited number of internal users. This option is designed to provide an effective solution to institutions without any identity management service that prefer not to use the other authentication methods.
Important note: Customers that signed their contract before June 30, 2018 receive the premium service at no additional fee.
Internal users’ authentication in the following workflows will use the password from the Exlibris Identity Service:
- Staff login to Alma
- Patron login to Discovery, including Primo, Primo VE, and Summon over Alma
- SIP2/NCIP/REST API Authentication (for authenticating with other library systems, i.e. resource sharing scenarios).
In addition, the following options are available for internal users which have passwords in the Exlibris Identity Service:
- Forgot password – When attempting to sign in, after entering an incorrect password, a message is displayed with a Forgot password? link. The user can enter an email address for which a reset password email will be sent.
- Reset password – a letter can also be sent on demand to an individual user from the User Details page, and to a group of users by running the Update/Notify Users job.
A single password strength policy is enforced for all institutions using the “Ex Libris Identity Service”. The policy is based upon the recently updated NIST Digital Identity Guidelines which emphasizes length (hard to guess) over complexity (easy to remember). Passwords will need to be at least 8 characters long but can consist of any characters (including passphrases, for example). Note that passwords in the “Ex Libris Identity Service” do not have an expiry date.
Where is the “Ex Libris Identity Service” hosted?
The “Ex Libris Identity Service” is hosted in the Ex Libris Cloud. Each region has its own instance of the service located in the applicable regional data center. The service is deployed in a high-availability topology and is managed and maintained by Ex Libris Cloud Services.
Do we have to use the new Ex Libris Identity Service?
No. The institution can choose to use other authentication methods with internal users such as social login or login via email.
Can we “mix” authentication methods?
Yes. For example, some internal users can authenticate using social login while others can authenticate using the new Ex Libris Identity Service.
Does the new Ex Libris Identity Service have a separate admin application?
No. Library staff are able to manage passwords for internal users from within Alma. When a user is deleted or purged from Alma, the password is removed from the Identity Service.
How are passwords stored for users in a premium sandbox?
The passwords for users in premium sandbox instances are stored separately in the Ex Libris Identity Service. You can set the password for an internal user in a premium sandbox using the same methods available in production Alma instances, e.g. by sending the user a change password email or by changing the password directly in the user’s profile. Changing the password for users in the premium sandbox does not affect passwords in production instances.
What happens to passwords of internal users after the refresh of a premium sandbox?
Passwords for internal users are stored in the Identity Service and not in the Alma database. If a user changes their password on production Alma and after this time there is a sandbox refresh; The premium sandbox user will not have a password in the Alma database (since it was cloned from the production Alma) and also does not have a password in the ‘Sandbox’ Identity service. Therefore when you login to the premium sandbox for the first time as an internal user you will have to reset your password using the reset password link. Once the password for a premium sandbox internal user has been set, it will not be modified by a sandbox refresh.