Integrating Shibboleth with the Ex Libris Identity Service
The Ex Libris Identity Service provides every institution the ability to manage user passwords in a hosted identity management solution. The service enables authentication to Ex Libris products such as Alma and Primo out of the box. In some cases, institutions may maintain their own library services (such as custom discovery) for which patrons managed in the Ex Libris Identity Service must authenticate. This can be accomplished with a custom API solution, but institutions who already offer a single sign-on service may wish to integrate those users into the existing service.
Shibboleth is a popular SAML-based SSO solution. In this post, we’ll see how we can integrate authentication for users managed in the Ex Libris Identity Service with Shibboleth using a custom password validator. The flow can be expressed as follows:
- User requests access to the custom application
- User is redirected to Shibboleth for single sign on
- Shibboleth validates username and password against the Alma API
- SSO session is created and user is redirected back to the custom application logged-in
The key piece in this implementation is a Java class which extends the
AbstractUsernamePasswordValidationAction class. In the
doExecute method, an HTTP request to the Authenticate User Alma API is made with the provided username and password. Assuming a successful authentication, a subsequent call is made to the Retrieve User API to obtain user details and populate assertion attributes as required.
The log snippet below shows the result of an authenticated user flow using the custom validator. We see the attributes that were populated from the user record in Alma:
- INFO [net.exldevnetwork.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstAlma:193] - Profile Action ValidateUsernamePasswordAgainstAlma: Alma returned primary id joshw - INFO [net.exldevnetwork.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstAlma:194] - Profile Action ValidateUsernamePasswordAgainstAlma: Alma returned name Josh Weisman - INFO [net.exldevnetwork.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstAlma:195] - Profile Action ValidateUsernamePasswordAgainstAlma: Alma returned user group ST / Staff - INFO [net.exldevnetwork.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstAlma:210] - Profile Action ValidateUsernamePasswordAgainstAlma: Login by 'joshw' succeeded
This prototype is available in this Github repository which includes instructions for building and deploying the validator. Further work must be done to make this production-ready, but hopefully it will get you started on the right track.