New Primo Authentication Transitioning from PDS to SAML Paul McBride | Senior Primo Support Analyst Wei Dai | Technical Infrastructure Analyst

Welcome and Introductions Paul McBride Tier2 Primo Senior Support Analyst Joined Ex Libris in 2010 SME on Primo APIs 10 years corporate IT application development & support Wei Dai Infrastructure Support Specialist Joined Ex Libris in 2005 Previously did application development for academic libraries

Objectives and Target Audience Supported Authentication methods Cascading login Parallel login New Primo Authentication: able to: Plan for moving to the Primo Authentication Manager Understand the advantages and limits of this new option Configure and enable a Profile Session Objective(s) New or Experienced Customers Systems or Technical Librarians Developers Familiarity with current authentication setup Session Target Audience: Short description of the session Session objectives: (what is it the audience will be now & be able to do as a result of the session?) and appropriate audience for the session. Intended Target Audience

1 2 3 4 5 Agenda Primo Authentication Manager How It Works Configuration 4 Customization & Sandbox 5 Next Steps and Support Resources

Primo Authentication Manager

Primo Authentication Manager – Supported methods Single Sign-On SAML CAS Direct Login LDAP Aleph Future: ExLibris Cloud Identity Provider OAuth2 Facebook Google Twitter Email Password-less sign in PAUL ADFS is aka Active Directory This is only for Patrons, not Primo Staff users * Cannot be used with Aleph or Voyager

Primo Authentication Manager - Features Parallel Login Any login type (Up to 5) Cascading Login Multiple Direct Login instances Attribute Mapping Similar to PDS Back Office interface No need for server access Simplified Configuration Streamlined configuration for each authentication method Customer Configuration Entirely configured and maintained by customers PAUL ADFS is aka Active Directory – This is only for Patrons, not Primo Staff users

Search Preferences (e.g. results per page) Patron ID in Primo Patron ID E-Shelf Saved Search Saved Search Alerts Tags & Reviews Search Preferences (e.g. results per page) Personalized Results A good indicator you may run into this problem is if you have to add an identifier to the Alma record -- Switching may result in the ID changing and missing info from eshelf etc..

How It Works

Authentication & Authorization Flow Authority Patron Information Source Login request Identity Confirmed Return ID code User ID confirmed Return user information Login Success Session created Request user info (GUEST) This flow is independent, regardless of the chosen authentication method Process received information

OAuth2 – Authentication Flow Send email invitation Choose Oauth system and send request User consents. (Facebook, Google, Twitter) Login request Token received Adding social ID to user identifiers Request userID Create and deliver access – token & Social ID Primo accesses Social Login via Alma – Explain difference between self-registration enabled/disabled. Second time login starts from the Request ID based on User token. Session created Request user info (GUEST) Identity Confirmed Return ID code Token Verified Send confirmation

Request & Loans API Start Verification process Find user by session ID Load Alma iFrame Request URL + Session ID Session ID Find user by session ID 1. PDShandle – is using a token instead of UID for security reasons, http request secure. User Identity Request/Loan Displayed User verified and authorized Request / Loan information

Configuration

1 2 3 4 5 Configuration Configuring a Profile Cascading Login Parallel Login 4 Attribute & Value Mapping 5 Alma Configuration

Configuration – Ongoing Configuration Wizards > User Authentication Wizard Discuss how to activate and de-activate a profile (JUST USE THE DROPDOWNS)

SAML Configuration Notice- Cert File from IdP is uploaded here

CAS Configuration Very streamlined/simplified compared to PDS/CAS

LDAP Configuration Cert for LDAP exits on Customer’s side – not Primo’s Certificate must be signed by a certificate authority recognized by Primo

Cascading Login Profile – Creating

Cascading Login Profile – Profile Selection

Cascading Login Profile

Attribute & Value Mapping Example User information source parameters Defaults used for Aleph Available after you save a profile Defaults are filled in for you appropriate for Source system

Attributes List Attribute Description email_address The user’s email address. Primo will use this email address if the user does not have an email address defined in Primo. If the EMAIL_OVERRIDE authentication parameter has been enabled, the value of this attribute will override the email address defined for the user in Primo. For Alma the default mapping is email_address. group The user group. For Alma the default mapping is group. id The user ID. For Alma the default mapping is id. ils_api_id The ID used for OPAC via Primo in case it is not the same as the regular ID. For Alma there is no default mapping because this attribute is not required for Alma. institute The Primo institution. This attribute can be used if there is a need to override the institution that the user signed in with (that is the institution of the view). For Alma there is no default mapping because the Primo institution defaults to the institution of the active view. If you want to override the institution of the view, you can specify an Alma attribute. name The name that displays for the user in the Primo Front End. For Alma the default mapping is userName. https://knowledge.exlibrisgroup.com/Primo/Product_Documentation/Back_Office_Guide/Primo_User_Authentication/Attribute_Mapping

Alma Configuration – Primo PDS URL Update the primo_pds_url Found under Alma > General Configuration > Configuration Menu > General Configuration > Other Settings Set it to a URL formatted like: http://<host>:<port>/primo_library/libweb/webservices/rest/PDSUserInfo? PAUL You should set HTTP or HTTPS to match the setting in Primo for OvP

Alma Configuration – Patron Identifier Check patron record for identifier value and make sure they have the “Patron” permissions The secondary identifiers are case sensitive

Customization & Sandbox

Parallel Login Code Tables -> User Login This selection page has customized to reflect the Main and Secondary Profiles that were configured in the User Authentication Wizard. Beyond the verbiage updates, any other customizations to colors, logos, background, etc. can be completed by the customer, as they can use the Uploader Tool in the Primo Back Office to load the login page CSS files to the same directory where the FE CSS customizations have been uploaded. Once they are uploaded the customer can map the CSS directory in the Static HTML section of the View Configurations for their Institution.

Direct Login This selection page has customized to reflect the Main and Secondary Profiles that were configured in the User Authentication Wizard. Beyond the verbiage updates, any other customizations to colors, logos, background, etc. can be completed by the customer, as they can use the Uploader Tool in the Primo Back Office to load the login page CSS files to the same directory where the FE CSS customizations have been uploaded. Once they are uploaded the customer can map the CSS directory in the Static HTML section of the View Configurations for their Institution. https://knowledge.exlibrisgroup.com/Primo/Product_Documentation/060Back_Office_Guide/040Primo_User_Authentication/080Login_Pages_for_User_Authentication

In Alma In Primo Sandbox Testing Update primo_test_pds_url to your Primo Sandbox Add the Primo Sandbox FE IP addresses to PDS IPs table In Primo Append &env_type=test to the Template Code field of almasingle_services Almaviewit_remote Almagetit_remote Almagetit Almasingle_service_remote almaviewit_services almagetit_services Almasingle_service Almaviewit PAUL

Next Steps and Support Resources Customer Knowledge Center Primo User Authentication Attribute Mapping Primo Authentication configured and working but Alma GetIt still wants me to sign in Changing to vanity URL: Working with custom domain names on hosted ExLibris environments https://knowledge.exlibrisgroup.com/Primo/Knowledge_Articles/Working_with_custom_domain_names_on_hosted_ExLibris_environments Additional support resources within the ExLibris Ecosystem: Idea Exchange System Status Pages: Single Tenant ENV / Multi-Tenant ENV Developer Network Technical Seminar Presentations (located in the Cross-Product section of the CKC) PAUL Mention what it is the audience should do after the tech seminar is over – how they retain what they learned. Mention links to relevant documentation articles associated with your topic. Refer to Idea Exchange to provide development ideas for features they think are important to add Systems Status page Dev Network They can find this session – all of the Tech Seminar – presentations in the CKC (link to the article).

Q & A Any Questions? Any last questions?

Session Feedback We Value Your Feedback! Please complete the brief Session Comment Card:

THANK YOU Wei.Dai@exlibrisgroup.com Paul.McBride@exlibrisgroup.com