Let’s say a library patron needs an article from a journal your institution subscribes to, and your institution gains access to this publisher via IP authentication. This means the publisher will recognize the IP address of your institution and allow access to any requests coming from that address. In this scenario, the publisher is giving access not because of who the user is, but because of the institution. A problem with IP authentication arises, however, if the user is at home and therefore is not using your institution’s IP address. In this scenario, the publisher won’t recognize the institution, resulting in failed access for the user.
As you might have already gathered, IP authentication has potential problems. If your institution’s IP address is breached, hackers can use the opportunity to take advantage of your institution’s access. Because the publishers can’t identify the bad actors individually, they have no choice but to shut down access for your entire institution.
In contrast, federated access focuses on the individual rather than the institution. Instead of having to use a computer based at your organization to access e-resources, users can instead use their institutional username and password to access any digital content your organization subscribes to. This is called “single sign-on” since you only need to use one set of credentials. Your institution, through a federation services provider, vouches for these credentials with the publisher, which in turn, gives access. Essentially, the publisher doesn’t need the institution’s IP address to provide access. Instead, it is making sure that the individual user belongs to your institution.
While federated single sign-on is the more secure option, not all providers currently support federated access. Some of them still rely on IP authentication. That’s why OpenAthens supports federated access and enables a single sign-on experience for publishers who still rely on IP authentication. There are two proxy service options that OpenAthens supports.
Hosted Proxy
The first and more popular of the two IP authentication services is hosted proxy, in which OpenAthens provides the proxy hosting and an IP address. The user logs on with the same username and password used for single sign-on (SSO) and OpenAthens vouches your credentials with your home institution, sparing your library staff from managing a proxy service in-house.
Forward Proxy
The other option is forward proxy, where OpenAthens maintains the proxy configuration files similar to the hosted proxy experience but the last visit to the publisher is done by a local system on your institution’s infrastructure. Institutions tend to prefer forward proxy if they wish to use their existing IP address rather than a new OpenAthens issued IP, or if they have several IP addresses to identify different parts of their organization. These institutions tend to be ones with ample IT resources. With forward proxy, your organization needs to maintain a proxy server and utilize Squid, a free proxy tool.
Once our systems administrators evaluated the setup and determined that it was relatively simple and sustainable, and we could integrate the solution into our existing proxy IP infrastructure, we were glad to move forward.
Once our systems administrators evaluated the setup and determined that it was relatively simple and sustainable, and we could integrate the solution into our existing proxy IP infrastructure, we were glad to move forward.
The GALILEO (GeorgiA LIbrary LEarning Online) consortium, which is comprised of 400 libraries in academic and technical colleges, K-12 and public libraries in Georgia, utilizes the OpenAthens forward proxy service. The OpenAthens implementation effort was led by Russell Palmer, Assistant Director at GALILEO Support Services. “Once our systems administrators evaluated the setup and determined that it was relatively simple and sustainable, and we could integrate the solution into our existing proxy IP infrastructure, we were glad to move forward.” said Russell about their initial experience with forward proxy.
Another benefit of forward proxy can be performance. Depending on where your institution is located, there can be some access time improvements if your institution is geographically closer to the content provider than OpenAthens, which is in the UK.
Implementation time of forward proxy is also faster than that of hosted proxy because with hosted proxy, each provider accessed through IP would need the new OpenAthens issued IP address. With forward proxy, however, since customers use their existing IP address(es), publishers would not need to update the IP on their end.
“In the end, we gained some efficiencies... Our forward proxy setup allows us to use the institution’s existing GALILEO proxy IP. This cuts down on overall setup time with vendors. Adding and updating new OpenAthens managed proxy IPs for 400+ institutions across hundreds of vendor accounts was largely avoided.” Russell said about the benefits of forward proxy.
The beauty of federated access, hosted proxy and forward proxy is that it all looks the same from the user perspective. Users can use their “everyday” institutional username and password as their single sign-on credentials. Behind the curtain, OpenAthens is handling everything seamlessly. Even if you already use single sign-on to access any applications or resources (via a SAML connection), OpenAthens federated connection access can simplify the admin set up and standardize the user journey.
Other benefits of OpenAthens and EBSCO include:
- IP/proxy and federated access services
- Granular usage statistics for informed resource and budget allocations
- Group and role-based access management
- Easy-to-use administrator interface
- 24/7 EBSCO support & training