...
SAML-based authentication for patrons
| Note | ||
|---|---|---|
| ||
The Circulation Manager ONLY supports SAML version 2.0 and above. SAML 2.0 is not backward compatible with earlier versions. |
The Circulation Manager occupies the Service Provider (SP) role in the SAML Protocol and authenticates a patron against an Identity Provider (IdP).
Identity Providers (IdP) may use a number of services such as Shibboleth, CAS and EZ Proxy to protect resources. The following workflows describe the communications between the respective systems and the Circulation Manager (SP)
Wokflows
Anchor SAML SAML
SAML
| SAML | |
| SAML |
SAML-based authentication workflow for patrons is depicted on the picture below:
Image I. SAML Authentication Workflow in Circulation Manager
(content provider does not use SAML)
Both the Circulation Manager and IdP should have their metadata registered with each other. In the simplest case it can be a Shibboleth environment where SP’s metadata is added to IdP’s configuration and vice versa. However, the better solution would be to register the Circulation Manager in InCommon Federation which would allow to use of any IdPs in the federation.
Anchor SAML EZProxy SAML EZProxy
SAML with EZ Proxy
| SAML EZProxy | |
| SAML EZProxy |
The picture below shows how the workflow looks like in the case when the content is protected by a SAML authentication mechanism: either via SAML proxy or EZProxy with SAML authentication turned on.
Image II. SAML Authentication Workflow in Circulation Manager
(content provider uses a SAML proxy or EZProxy with turned on SAML authentication)
Anchor SAML with EZ Proxy CAS SAML with EZ Proxy CAS
SAML with CAS and EZ Proxy
| SAML with EZ Proxy CAS | |
| SAML with EZ Proxy CAS |
An alternate configuration may include a Authentication delegated to another application such as a CAS Server.
Image III. SAML Authentication Workflow in Circulation Manager
(content provider uses a SAML proxy or EZProxy with turned on SAML authentication and CAS Authentication Delegation)
In this case there are two authentication events:
- User authenticates to the Circulation Manager. It works in exactly the same way as in the previous case: users will have to authenticate themselves against IdP either by entering credentials on the IdP’s form or using other mechanisms setup in the IdP’s settings.
- User authenticates to SAML proxy/EZProxy. This should not require users to authenticate themselves against IdP. However, they may be shown a consent screen asking them to confirm using their credentials with a different SP (either SAML proxy or EZProxy).
Configuration
You can find information about SAML Authentication Provider's configuration in SAML-based authentication for patrons requires certain configuration to be set up to work correctly. Configuration parameters are described in the table I.
Table I. Circulation Manager SP’s Configuration
...
Parameter Name
...
Mandatory
...
Description
article.
Testing
You can find information about testing in SAML Testbed article.
...
Service Provider’s XML metadata
...
Yes
...
SAML metadata of the Circulation Manager's Service Provider in an XML format (must contain exactly one SPSSODescriptor tag)
...
Service Provider’s private key
...
No
...
Private key used for encrypting and signing SAML requests
...
Identity Provider’s XML metadata
...
Yes
...
SAML metadata of Identity Providers in an XML format '(may contain multiple IDPSSODescriptor tags)
...
SAML token expiration days
...
No
...