OpenAthens is a single sign-on authentication service, which represents the ability to use one username and password to access all the content that your organization subscribes to. If you've logged in once, then that's it. This creates a fluid experience for your users. OpenAthens is an entirely cloud-hosted identity and access management suite with a dashboard, the OpenAthens admin area, which allows users to access management settings to define different permissions, categorize your users and set up resources.
In March, more than 250 people from a diverse set of institutions worldwide attended EBSCO’s webinar, “Top Questions About Authentication Asked by Librarians and Technical Staff,” featuring Amanda Ferrante, Product Manager of Authentication Solutions at EBSCO Information Services, and Jake Wiles, Technical Solutions Expert at OpenAthens. They've worked directly with many libraries to provide technical consultation and guidance, and to help set up and launch the OpenAthens service. The presentation was a result of their shared experience and lessons learned drawing from the most frequently asked questions they’ve received during their consultations.
We received almost 50 questions from attendees during the Q&A portion of the webinar. Keep reading to learn the most common queries, with answers organized by topic.
Security
Q: Is it possible for a user attribute to be reportable but not releasable?
A: Yes. Libraries can choose to make any attribute reportable or releasable; these settings are independent of one another and can be turned on and off separately. Alternatively, libraries can decline to mark a particular data attribute as reportable or releasable, using it solely for the purpose of assigning user authorizations.
Q: Can I define access levels for patrons in OpenAthens?
A: Yes. OpenAthens offers administrators the ability to manage authorizations via attributes and rule-based permission sets. Permission sets are collections of resources that can be assigned to accounts so that administrators can control which users have access to which publisher platforms. Modifying the resources in a permission set instantly changes the resources that accounts assigned to it can access, whether it be one account or a million. Users can be assigned to permission sets based on criteria identified by the institution which can include title, department, domain server, etc.
Proxy
Q: Does using OpenAthens mean proxy servers can be removed?
A: Yes. For any publishers who cannot yet support SAML SSO logins, OpenAthens manages a hosted proxy service and assigns a unique proxy IP to each subscribing library who needs one. This means that all library resources that are still only compatible with IP access can be managed under the OpenAthens umbrella alongside SAML-authenticating resources. OpenAthens' proxy service takes authenticated users to the proxied content, handling all the various rewrites that are necessary to get the content to the user and let them navigate the proxied site. The site authorizes the user because they are coming from an IP address that the site associates with the library.
Q: Are we still required to purchase/subscribe to Certificates as required by ProQuest/EZ proxy with OpenAthens?
A: No, that’s not required. We also occasionally hear about wildcards regarding some proxy services — that is also not required. OpenAthens’ hosted proxy service doesn't require any maintenance from the customer whatsoever. If you are using the managed proxy service, OpenAthens sets you up with a unique proxy IP and takes care of the rest. Proxy configuration is managed by OpenAthens’ team.
OpenAthens offers administrators the ability to manage authorizations via attributes and rule-based permission sets. Permission sets are collections of resources that can be assigned to accounts so that administrators can control which users have access to which content.
OpenAthens offers administrators the ability to manage authorizations via attributes and rule-based permission sets. Permission sets are collections of resources that can be assigned to accounts so that administrators can control which users have access to which content.
Q: Our institution is concerned with improving security, which clearly is improved with single sign-on options. However, lots of vendors don't use SSO as an authentication option. With the proxy service offered by OpenAthens, is there any security advantage given that the SSO login is what is user facing, and it interfaces with the proxy behind the scenes? E.g. would we still be able to track who logs into OpenAthens to use a proxied resource?
A: For any publishers who cannot yet support SAML SSO logins, OpenAthens manages a hosted proxy service and assigns a unique proxy IP to each subscribing library that needs one. In this scenario, the end user's initial log-in is to the OpenAthens service, which does have built-in security monitoring that flags certain behaviors that might be interpreted as misuse. After their log-in the service then redirects the user to their target platform. That means that OpenAthens can manage authorization/permissions and accrue usage data for all resources configured for access, regardless of whether that resource is using proxy IP or SAML access.
Technology
Q: Does OpenAthens work with Shibboleth?
A: Yes. OpenAthens can connect to any SAML-compliant identity application, including more traditional IdPs such as ADFS but also accompanying SAML applications like Shibboleth. Many libraries currently use a direct connection to their institution's Shibboleth instance for identity in OpenAthens. Connecting to Shibboleth within OpenAthens requires a typical 1:1 SAML metadata connection.
Q: Does Open Athens replace CAS or work with it?
A: OpenAthens can connect to a CAS server as long it is SAML compliant, which means we can connect to CAS version 5.0 and later. With anything that's SAML-based, the steps to create that connection are fairly predictable – just exchanging the appropriate SAML metadata files and updating the right settings.
Have your own question? Contact your local sales rep or enter your question at the bottom of this page.