Do you support Shibboleth-only authentication?
BrowZine operates as a technology overlay which facilitates connections to a library’s existing subscribed sources and does not hold any of this content itself. One of our goals in building BrowZine is to make the user experience as seamless as possible to connect authenticated users with content and authentication plays a big part in doing this.
With a proxy system, the user can login once, initiate a proxy session and then get full access to all entitlements with no other intervention with the proxy. This allows us to easily build URL's on the fly which we can be assured will connect with the publishers who, by identifying the IP, provide appropriate entitlements.
Shibboleth on its own, for all its benefits, does not excel at the above use case. Unfortunately, every publisher has a different way to start the Shibboleth session which usually involves clicking through a few screens to identify a library’s federation (though sometimes you can create WAYF-enabled URL's as well to help with this) and then there are still publisher/sources that do not support Shibboleth at all. Many institutions who primarily use Shibboleth or another federated technology wind up running a proxy server for at least some sources to provide full coverage for off-campus users.
Because of all of this relative complexity, to do what BrowZine is known for, we would need to create a rather bespoke set of configurations for ALL an institution’s sources which is out of scope for the design of BrowZine. In particular, when we compare this to VPN or Proxy-based systems which need just one URL prefix for all sources to work and compare it to worldwide norms, there are very few institutions who do not use a proxy/VPN system alongside a federated system.
I heard we use Shibboleth in our authentication. How do I know if we are compatible?
Many institutions around the world embrace Shibboleth as a Single-Sign On (SSO) Identity Provider (IdP) to enable access to resources used all over campus including email, courseware, scientific web resources, library resources and more. However, because of the limitations described above for the user experience when accessing library resources, as well as the lack of full support from all publishers, many libraries choose to make the Service Provider (SP) not the Publisher, but instead the Proxy Server. Thus, the IdP is enabling access to the proxy (SP) so that the proxy may be used to complete the “transaction” that the user is requesting such as access to a subscribed journal.
This leads to much confusion in the library world about what “using Shibboleth” really means when discussed in terms of authentication technology. Whether you are using the publishers as the SP’s or the proxy, you are still “using Shibboleth” but BrowZine only supports situations where Shibboleth is authenticating the proxy.
How can I tell if my library is using a proxy authenticated by Shibboleth?
The easiest way to tell is if the domain has a proxy inserted in it after authentication from off-campus. From your library’s home page, find a database for content behind a paywall and click the link. If you are presented with a login screen, login. Now take a look at the resulting URL. If it has been “transformed” in some way to insert some additional subdomains, you are running a proxy.
WAM Proxy style:
If instead, the link looks like:
You are not running a proxy and thus incompatible with BrowZine.
If you have any questions or find that you are running a “Shibboleth-Only” authentication system, please contact us for additional access options.