Migration to the Ex Libris Identity Service
As part of Ex Libris’ continuing efforts to follow security and data privacy best practices, we announced in September 2016 plans to move toward the use of external-only password management in Alma. This shift would affect customers’ ability to authenticate internal users (patron and staff accounts defined completely in Alma and not in the institution’s identity provider) using passwords stored within Alma. Following that announcement we worked with the ELUNA/IGELU Authentication Focus Group to explore and define methods of authentication which meet the goals of security and adherence to best practices, while at the same time continue to answer the management requirements of institutions. As a result of that joint work, Ex Libris has decided to introduce an Ex Libris Identity Service that will be based on a dedicated identity management solution, meeting strict security and authentication standards. This new Ex Libris Identity Service will replace the internal authentication / passwords method used today by live Alma customers and all existing customers will be migrated to this service.
What is the “Ex Libris Identity Service”?
In Alma user management, “internal users” are users who are created and managed in Alma, rather than an external system such as a Student Information System. Alma will continue to support internal users. However, until now passwords for internal users were stored in Alma along with the users’ record. Going forward, internal users’ passwords will be stored in the “Ex Libris Identity Service,” a commercial, best-of-breed identity provider application hosted by Ex Libris in its data centers.
- Standard Service – this service will be included in the standard Alma annual subscription fee (no additional charge) and will allow the institution to authenticate up to 5,000 internal users.
- Premium Service – this service will be an optional cost offering and will allow the institution to authenticate unlimited number of internal users. This option is designed to provide an effective solution to institutions without any identity management service that prefer not to use the other authentication methods.
Important note – existing Alma customers and customers that signed their contract before June 30, 2018 received the premium service at no additional fee as part of the transition process to the new service.
Where will the “Ex Libris Identity Service” be hosted?
The “Ex Libris Identity Service” will be hosted in the Ex Libris Cloud. Each region will have its own instance of the service located in the applicable regional data center. The service will be deployed in a high-availability topology and will be managed and maintained by Ex Libris Cloud Services.
Does this change affect any other authentication methods?
All other existing authentication methods will remain unchanged. These include LDAP, SAML, CAS, Social, and login via email. The existing authentication methods are all described in the Developer Network.
Which users will be affected by this change?
Only internal users that login to Alma or Discovery (Primo, Summon) using passwords that are stored in Alma will be affected. External users managed in other systems will not be affected, nor will internal users who login using social login or login via email.
What information will be stored in the “Ex Libris Identity Service”?
Only the user’s password will be stored in the “Ex Libris Identity Service.” All other data will remain with the user’s record in Alma.
- Staff login to Alma,
- Patron login to Discovery, including Primo, Primo VE, and Summon over Alma,
- SIP2/NCIP/REST API Authentication (for authenticating with other library systems, i.e. resource sharing scenarios). Note that migration of passwords will occur only when logging in via the user interface.
Can we use the Ex Libris Identity Service with other institutional systems?
No. The Ex Libris Identity Service was designed to be used with internal users in Alma. Institutions are not able to use it to facilitate authentication or Single-Sign-On (SSO) with other institutional systems.
How will this change affect our internal user’s login workflow?
The migration of existing live customers to the “Ex Libris Identity Service” will be as transparent to users as possible. The first time a user logs into Discovery after the service is launched, the user’s password will be automatically migrated out of Alma and into the service. Users whose first login is done directly in Alma or those whose passwords do not meet the unified password strength policy will be asked to update their password as a part of their first login to Alma or Discovery.
What will happen to users who did not login during the migration period?
The procedure described above will be in effect for the duration of the migration period, which is one year following the launch of the service. Following the migration period, the passwords of any internal users who have not logged in to Alma or Discovery will be removed from Alma. Those users who wish to login after the migration period will be able to create a new password in one of two ways:
- Using a “Forgot my password” link from Alma or Discovery; Alma will send an email with password reset instructions to the email address associated with the user
- A user’s password can be reset by a librarian using Alma
What will be changed in terms of password management?
A single password strength policy will be enforced for all institutions using the “Ex Libris Identity Service.” The policy will be set in accordance with industry-standard best practice and based upon the recently updated NIST Digital Identity Guidelines which emphasizes length (hard to guess) over complexity (easy to remember). Passwords will need to be at least 8 characters long but can consist of any characters (including pass phrases, for example).
Will the new Ex Libris Identity Service have a separate admin application?
No. Library staff will be able to manage passwords for internal users from within Alma in the same way these passwords are managed today. Passwords managed in Alma are stored in the Identity Service. When a user is deleted or purged from Alma, the password is removed from the Identity Service.
What do we need to do in order to prepare for this change?
The migration process will include a dedicated screen for password update, and an email which will be sent to users. During the development and rollout process, these screens and letters will be announced in the Alma release notes. You will be able to customize them as is possible for other patron-facing screens and letters in Alma.
If you use Alma’s deprecated SOAP APIs, the password of users used for Authentication needs will need to be manually updated.
My implementation project is taking place during 2018. Will anything change as a result of this new service?
Implementation projects will not be affected by the migration to the new service. Until the new Ex Libris Identity Service is launched, all implementations will be able to use the existing methods including storing passwords within Alma. Once the new service is launched passwords stored in Alma will be migrated as described above.
What is the timeline for this change?
The service was tested with select pilot customers during the second half of 2018. It will be deployed to sandbox environments with the January 2019 release and to production instances during the month of January 2019.
Our Primo offers patrons a choice of login methods. Will there be an option for the Ex Libris Identity Service?
Since the Identity Service replaces logging in with passwords stored in Alma, there will not be a new authentication option in Primo. The existing login with Alma method will transparently use the Identity Service.
How are passwords stored for users in a premium sandbox?
The passwords for users in premium sandbox instances are stored separately in the Ex Libris Identity Service. You can set the password for an internal user in a premium sandbox using the same methods available in production Alma instances, e.g. by sending the user a change password email or by changing the password directly in the user’s profile. Changing the password for users in the premium sandbox does not affect passwords in production instances.
What happens to passwords of internal users after the refresh of a premium sandbox?
Passwords for internal users are stored in the Identity Service and not in the Alma database. If a user changes their password on production Alma and after this time there is a sandbox refresh; The premium sandbox user will not have a password in the Alma database (since it was cloned from the production Alma) and also does not have a password in the ‘Sandbox’ Identity service. Therefore when you login to the premium sandbox for the first time as an internal user you will have to reset your password using the reset password link. Once the password for a premium sandbox internal user has been set, it will not be modified by a sandbox refresh.