Ex Libris Identity Service

In Alma user management, “internal users” are users who are created and managed in Alma, rather than an external system such as a Student Information System.

Internal users might be authenticated using social login or email-based login. In addition, Alma supports the option of adding passwords to internal users. In this case, the password will be stored in the “Ex Libris Identity Service”, a commercial, best-of-breed identity provider application hosted by Ex Libris in its data centers. Library staff can manage passwords for internal users from within Alma. Passwords managed in Alma are stored in the Identity Service. When a user is deleted or purged from Alma, the password is removed from the Identity Service.

The “Ex Libris Identity Service” is hosted in the Ex Libris Cloud. Each region has its own instance of the service located in the applicable regional data center. The service is managed and maintained by Ex Libris Cloud Services. Production and Sandbox users are managed separably in the “Ex Libris Identity Service”. This means that changing an internal user’s password in a sandbox environment will not affect the production user.

Note that only the user’s password will be stored in the “Ex Libris Identity Service”. All other data is part of the user’s record in Alma. Any Alma user Identifier (Primary or additional ID) can be used for authentication, along with the password.

The “Ex Libris Identity Service” is designed to be used with internal users in Alma. Institutions are not able to use it to facilitate authentication or Single-Sign-On (SSO) with other institutional systems.

For information on the migration to the Ex Libris Identity Service, view the migration FAQ.


Service offering

The “Ex Libris Identity Service” is offered in two options:

  • Standard Service – this service is part of the standard Alma annual subscription fee (no additional charge), allowing the institution to authenticate up to 5,000 internal users.
  • Premium Service – this service is an optional cost offering, allowing the institution to authenticate unlimited number of internal users. This option is designed to provide an effective solution to institutions without any identity management service that prefer not to use the other authentication methods.

Important note: Customers that signed their contract before June 30, 2018 receive the premium service at no additional fee. For more information about the transition process see Migration to the Ex Libris Identity Service.

Supported workflows

Internal users’ authentication in the following workflows will use the password from the Exlibris Identity Service:

  • Staff login to Alma
  • Patron login to Discovery, including Primo, Primo VE, and Summon over Alma
  • SIP2/NCIP/REST API Authentication (for authenticating with other library systems, i.e. resource sharing scenarios).

In addition, the following options are available for internal users which have passwords in the Exlibris Identity Service:

  • Forgot password – When attempting to sign in, after entering an incorrect password, a message is displayed with a Forgot password? link. The user can enter an email address for which a reset password email will be sent.
  • Reset password – a letter can also be sent on demand to an individual user from the User Details page, and to a group of users by running the Update/Notify Users job.

Password strength

A single password strength policy is enforced for all institutions using the “Ex Libris Identity Service.” The policy is based upon the recently updated NIST Digital Identity Guidelines which emphasizes length (hard to guess) over complexity (easy to remember). Passwords will need to be at least 8 characters long but can consist of any characters (including pass phrases, for example). Note that passwords in the “Ex Libris Identity Service” do not have an expiry date.