Accessing Members-only Services with OpenAthens instead of Shibboleth

February 28, 2018

By Sandra McIntyre, Director of Services & Operations

Working with the library staff at Macalester College, we have successfully set up log-in access to HathiTrust member services for the first timeusing OpenAthens rather than Shibboleth for providing information about users’ identities. OpenAthens is a hosted identity provider service created at the University of Bath in the UK in 1996 and managed by Eduserv. It is now commonly used by educational institutions and healthcare organizations in parts of Europe and Asia, with new member institutions in North America. Like Shibboleth, it is compliant with the Security Assertion Markup Language 2.0 (SAML 2.0) standard for exchanging authentication and authorization data between security domains. It manages single sign-on for users to a variety of service providers — e.g., publishers and other authenticated access sites like HathiTrust — through its gateway.

With coordination with Macalester staff, HathiTrust has completed its first pilot to accept identity data from the OpenAthens system. Minor configuration adjustments by OpenAthens staff were required to release the attributes that HathiTrust needs. The new service enables Macalester to offer access to HathiTrust members-only services, such as full-book download for public domain volumes, to its students, faculty, and other affiliates. It also enables Macalester to set up access to HathiTrust in-copyright volumes for a staff member on behalf of members with print disabilities.

“We have some happy faculty on campus with our new access to HathiTrust,” says Katy Gabrio, assistant library director for collection development and discovery at Macalester. The library also is setting up a staff member in the College’s Disability Services department for proxy server access. According to Katy, a “hiccup” occurred recently in communication between OpenAthens and Macalester, leading to a temporary glitch in the service, but quick changes were made and all is well again.

Currently, HathiTrust requires that partners using OpenAthens adhere to the same InCommon Federation standards for SAML 2.0 exchange that our Shibboleth-using partners observe, and partners must join the InCommon Federation. “Our requirement for InCommon membership is based on a principle of leveraging the trust fabric of SAML federations for our login relationships,” explains Sebastien Korner, head of the Architecture & Engineering group at the University of Michigan Library, which configures the authorization systems for HathiTrust.

We welcome inquiries to from other members or potential members who are interested in using OpenAthens for accessing members-only services at HathiTrust. Current requirements for user identity authorization in HathiTrust include:

  • Operation of a SAML 2.0-compliant identity provider, such as Shibboleth or OpenAthens
  • Membership in the InCommon Federation and adherence to its standards for trusted shared management of access to online resources
  • Provision of required attributes for HathiTrust use
  • Membership in HathiTrust

In the future, HathiTrust will explore the benefit of registering directly with the OpenAthens Federation as a (paying) service provider, which would possibly eliminate the need for InCommon membership by OpenAthens institutions. We look forward to hearing about members’ needs as we evolve the authorization service.