Alma supports authentication via social networks: A staff user can login into Alma using his social network details, and patrons can login into Primo. Currently Google, Facebook and Twitter are supported, with plans for additional networks in the near future.
Social login is based on the OAuth 2.0 standard
which is used by many websites and applications. Alma will only add the user’s unique social network identifier to the user record in Alma, and will not be able to post anything to the social network, nor change any information there. What is stored in Alma cannot be used to gain access to a user's social account.
In order to login with social network details, the user in Alma should have an identifier with the social network id. This identifier is necessary for Alma to link the social network authenticated user with the Alma user. Note that this identifier is not displayed in the Alma UI but is visible via the Export Job or APIs.
The following steps are required in order to allow social login:
- Have a Google/Facebook/Twitter accounts for the library
- Configure OAuth app for these accounts
- Configure the "Social/Email Login" integration profile in Alma
- In order to allow login to Primo, Primo should be configured as well. Make sure you use Primo's new UI and new authentication
- Activate authentication via a social network provider for existing user accounts in Alma
Configuring the Social network and Alma
The option to login with social login details is opt-in.
The following pages provide details on how to enable social login with the social network providers:
A site can pick and choose which account or accounts to use as a separate Integration Profile is configured for each one of the above.
One-time login using email
Starting August 2017 a new option was introduced: login via email. When a user selects "Sign in with Email" he is requested to enter his email address. Alma sends an email to the user with a link which includes a token which is used to validate the user and continue the login process automatically.
The integration profile is set as for Facebook/Google/Twitter but no parameters are needed.
As a security measure, the notification message “An email with the login link has been sent to firstname.lastname@example.org” is displayed regardless of whether a user with the specified email address is found in email. In addition, if 2 users in Alma have the same email address the message will be displayed but email will not be sent. Note that it may take several minutes for the email to arrive.
In order to allow patrons to login to Primo using their social login details, Primo's new UI should be used with the new Authentication (not PDS). See here for more details regarding the required configuration in Primo.
Activating authentication via a social network provider
In order to activate authentication via a social network provider for an existing user account in Alma, Alma should send an email with a registration link to a user ("SocialLoginInviteLetter"). The user clicks the link and follows the instructions to authenticate with the social network and provides permission for Alma to access basic user information. The email can be sent in the following ways:
Note: The link in the SocialLoginInviteLetter expires 14 days after the email is sent. Please consider customizing the email and instructing new users to press the link as they receive the email (as opposed to waiting until they need library services).
After following the flow, a Success message is displayed, and a 2nd email is sent to confirm it: SocialLoginAccountAttachedLetter.
The Success message includes a link to Alma for a login (if the user has non-patron roles). The text in the Success message can be customized in "Social Login Labels" code-table, accessible from the main configuration menu.
If a user has already attached his account to social media and follows the attach flow again by clicking on the link in the first email, there will be no change in Alma as the account is already attached, a success message will be displayed and the SocialLoginAccountAttachedLetter will be resent.
The following diagram illustrates the attach account workflow:
Login to Alma with social network details
After the social network id is added to the user in Alma, it is possible to login to Alma using the social network details. The login to Alma with social network details is done using the regular login URL, with "/social" suffix. For example: https://alma.exlibrisgroup.com/institution/INST_CODE/social, or uni.alma.exlibrisgroup.com/social for institution-specific domain names.
The following diagram illustrates the login workflow:
Login to Primo with social network details
After the social network id is added to the user in Alma, it is possible to login to Primo using the social network details. Institutions can also allow guest users to perform self registration: After a user is authenticated by the social network, if he does not exist in Alma, Alma might be configured to create a new user for him. This depends on the configuration of the "self registration" part of the social login integration profile in Alma
Note that Both internal and external users can login with social network details.
The following diagram illustrates the login workflow in Primo:
Note: The benefit of Social Login is the ease of use after the initial login. A user which followed the attach-account flow once will be able to login the next day without typing a single character. As Facebook and Google keep a permanent cookie on the browser there is no need to login even after the browser (or even the computer) is shut down. However on a shared PC a user which has signed in to Primo using Social Login should keep in mind to log out of Facebook/Google before leaving the PC.
As emphasized at the top of this page OAUTH is a widely used protocol and the information exchanged between Alma and the Social Network provider is minimal. You may consider customizing SocialLoginInviteLetter and explaining it as you see fit to your audience to avoid concerns.