Phase 1 OpenAthens questionnaire for CARLI I-Share members

Page 1

OpenAthens is a single sign-on service that offers library end users a seamless SSO experience and the benefit of secure SAML access. Library administrators can use OpenAthens to manage group authorizations and access, pull granular usage data, and consolidate both SAML and proxy IP authentication into a single, fully cloud-hosted solution.

This questionnaire outlines the information needed from CARLI I-Share members to configure OpenAthens log-ins to ExLibris Alma and Primo VE.





Page 2

Information about your institution’s Identity Provider, or directory of user accounts.


Please note, your institution's IT or Identity & Access Management (IAM) team may be needed to help answer questions in this section.

The OpenAthens single sign-on service has the ability to connect to existing user accounts. This means that a user’s initial log-in to the SSO service will be with their institutional account – in most cases, the same email or username they already use to log into their school email and so on. Connecting to your institution’s Identity Provider (IdP) is a one-time process. We establish a secure connection and your IT or IdP team release any data attributes needed to OpenAthens. 

To connect to your institution’s Identity Provider, we will first need to know where user accounts are stored. Types of IdPs we can connect to OpenAthens include:
  • Microsoft Active Directory (ADFS or LDAP)
  • Microsoft Azure
  • Other SAML-compliant IdP applications, such as Google Suite, PingFederate, Okta, etc.
  • CAS version 5.x or later
If the library's institution does not use an Identity Provider, OpenAthens can store accounts; select the relevant option below for more information.




Once your IdP's SAML metadata is ingested into OpenAthens, EBSCO's Implementation team will return to you an OpenAthens SAML metadata file to be configured in your IdP settings as a relying party trust.






The only data attribute that is required by OpenAthens is some piece of information that can be used to uniquely identify each account, such as an ID number, targetedID, or emailAddress. If privacy is a concern, it is important to know that OpenAthens does not require personally identifiable data. For additional information on these parts of an OpenAthens setup and controls over data release, please see this documentation. Please note, if you plan to use a specific attribute to personalize/identify users in Alma/Primo, OpenAthens must receive that same attribute from your IdP in order to facilitate personalized log-ins to Alma/Primo.
Account creation via Bulk Upload

If your institution does not have an IT-managed directory of user accounts, then EBSCO's team can help load your users into the OpenAthens dashboard to create accounts for them. This process is called a Bulk Upload. Information on Bulk Upload account creation can be found here and here; your EBSCO Implementation team will provide you with an Excel template to list your user accounts on.
Supporting accounts for walk-in users alongside your institutional directory

A common use-case amongst academic libraries is that there is a local directory (IdP) available where accounts for staff, faculty, and actively enrolled students are stored, but that the library requires some way to support log-ins for walk-in users who do not have an IdP account. To support walk-in users, the library has several options:
  • Continue using IP access for on-campus users, including walk-ins. This can be set up in the library's OpenAthens settings using an IP Bypass. When an IP bypass is in use, on-campus users will continue to use IP access even when they click on an OpenAthens link. In this scenario, OpenAthens will only be the remote access solution, and the library's OpenAthens usage reports will only reflect data for remote usage.

  • Create accounts on a one-off, as-needed basis within OpenAthens. OpenAthens allows the library to manually create accounts on the fly for walk-in users; the librarian can specify when the account is valid until. There are two types of accounts created in OpenAthens: personal accounts, which are assigned to a single person and can be used on-campus and off; and access accounts, which is a username/password that can only be used within the library, as it is tethered to the library's IP address. Access accounts can be shared within the library because they cannot be used off-campus.

Page 3

Test account from your institutional directory.


If your IT can issue a temporary account from your institutional directory to EBSCO's Implementation team, it can be used for testing during configuration. This is known to make the overall setup process more efficient.

Please note, if your library doesn't have an institutional directory you can respond to this question with "N/A."

Page 4

Information to set up OpenAthens log-ins to ExLibris Alma and Primo VE.


Please note, this component may require some assistance from your ExLibris support team. To complete this component, a SAML integration profile will need to be set up in the Alma/Primo VE settings. The following steps outline that process:

  1. In your library's ExLibris Alma and Primo VE administrative settings, create a SAML integration profile and generate SAML metadata. ExLibris' Support team will create this profile using information provided by your EBSCO Implementation team. 

    For your reference, documentation for how settings are configured for Alma and Primo VE can be found here.

  2. Integration for Alma and Primo VE configured in OpenAthens. Your EBSCO Implementation team will take care of this using information received from ExLibris.

Your ExLibris support team may be able to assist in identifying the correct attribute. Your EBSCO team will then release it to Alma/Primo VE to support personalized log-ins.

Page 5

Upon submission of this form, your EBSCO Implementation team will work with your library and IT team to complete the aforementioned configuration.

Once completed, your end users will be able to log into Alma and Primo VE using OpenAthens. When someone clicks on “Sign in” in the Alma/Primo VE interface to attempts to access any feature that requires a user to be logged in, they will be prompted to log in through OpenAthens using their institutional account. A single log-in through OpenAthens will represent the beginning of their single sign-on session, so additional clicks to full text options within Alma or Primo VE will not require an additional log-in.

All additional subscribed library content will be set up to use OpenAthens log-ins during Phase 2 of CARLI I-Share libraries' implementations; see below.

One email per field.


The aforementioned steps constitute Phase 1 of CARLI I-Share members' OpenAthens implementations. Following the completion of Phase 1, I-Share members will work with EBSCO's Implementation team to complete the remainder of a full OpenAthens setup, including configuring OpenAthens access to the remainder of library subscriptions, tools, and applications. The questionnaire for Phase 2 can be found here.

For additional information and documentation on the OpenAthens service during this time, please reference the following:

Thank you for your submission! Your EBSCO Implementation team will be in touch soon.