Tech Blog

Authentication Update

Authentication is one of the most critical integrations between Alma and Primo and the university infrastructure. We continue to invest in authentication options to remain up to date with industry standards, to provide a secure platform, and to fill the integration needs of a wide array of institutional authentication landscapes.

In this post, we’ll review some of the changes that have been introduced in the past year.

Support for OpenID Connect

OpenID Connect is an authentication layer built on top of OAuth 2.0. Alma introduced support for institutional identity providers that prefer to work using this protocol. Several commercial and open source identity providers support OpenID connect today.

For more information on Alma’s support for OpenID Connect, see this page in the Developer Network. For an example of how to configure an OpenID Connect provider, see this blog post.

SAML Just-in-time (JIT) User Provisioning

Most institutions use the Student Information System integration to synchronize users from their institutional user repository to Alma. However, some institutions prefer that users be created in Alma only when they patrons log in to receive services. Alma introduced just-in-time (JIT) user provisioning/self-registration support for SAML-backed institutions. This allows user accounts to be created based on information in the SAML response and with roles determined by the configured role assignment rules. Alma also supports updating user information on each login, allowing the user record in Alma to remain up to date with the record in the identity system.

For more information on just-in-time provisioning/self-registration, see this documentation and this blog post.

Ex Libris Identity Provider

Finally, the last phase of the rollout of the Ex Libris Identity Provider was completed and there are now more than a half-million users using the service. The Ex Libris Identity Provider is a dedicated service hosted in the Ex Libris cloud which allows for management of user passwords. Institutions that do not have an institutional authentication system can create internal users in Alma and store the users’ passwords in the Ex Libris Identity Provider.

The Ex Libris Identity Provider can be used for authenticating for staff login into Alma, patron login into discovery, and SIP2/NCIP authentication for other library systems.

For more information on the Ex Libris Identity Provider, see this page in the Developer Network.

Looking ahead

Based on feedback from institutions we have planned continued investment in this area to ease integration with existing identity systems. One of the planned improvements will allow the configuration of a converter directly into the student information system integration. This means that institutions will be able to use the scheduling and job management within Alma and covert a file from the SIS into an Alma-supported format, thereby reducing the external infrastructure and monitoring required. Keep an eye on the Alma release notes for more information.

Leave a Reply