Knowledge Integration

FedAccs delivers federated authentication to FOLIO

Sharing of learning facilities and resources with other institutions will become a whole lot simpler and cheaper for FOLIO libraries.

University libraries in Germany, and elsewhere, are increasingly looking to pool their physical and online learning resources and facilities. This trend is fuelled by a diverse range of needs and circumstances.

  • Cost of electronic resources
  • An increase in home learning, where the closest university might be different to the student’s registered institution
  • Growth of the availability of interdisciplinary study programs, often delivered between two or more academic institutions
  • The move towards a thematic focus for some universities, becoming centres of excellence in specific subject areas with large collections of resources
  • Lack of space on library shelves

To support this collaborative approach, universities form partnerships known as “federations”. Institutions within a federation may then agree to allow students from other universities in the group to use and borrow resources. In the Rhine Main region the Rhine-Main Universities (RMU) alliance consisting of Goethe University (GU) Frankfurt am Main, Johannes Gutenberg University (JGU) Mainz, and Technical University (TU) of Darmstadt aim to form such a collaborative partnership.  Whilst this may seem a simple aim, in practice it introduces difficulties around the tracking and controlling of which individuals have access to what, and for how long.

At present, each student must have an account and chip card for each of the participating libraries and apply the appropriate identity when making use of another library’s facilities and resources. This makes it possible for each user to be validated as a registered student every time they perform a transaction, be it borrowing a physical item or using an online service. The downside is that each student may end up with several ways to authenticate themselves. Besides being an inconvenience for the individual, the overhead of managing accounts for students from other universities and issuing these users with chip cards, is resource intensive and uneconomical for the institutions involved.

Ideally each student would be able to use a single library account to access what they need at any of the collaborating libraries. It is with this goal in mind that the University and State Library Darmstadt (ULB) of the TU Darmstadt approached Knowledge Integration. How might a student’s “home” university account be used to authenticate them when accessing another university’s resources? Given that the FOLIO library management platform is in use at many universities, could FOLIO be used to manage this authentication, and would K-Int like to build a prototype to test the concept? We rose to the challenge of course.

Existing technical landscape

TU Darmstadt was already a member of the DFN federation: a group of universities and further research institutions in Germany who have established and agreed a level of “trust”. Any other university wishing to share facilities would also need to be a DFN member.

Authentication between DFN member services and external systems like FOLIO is controlled through DFN-AAI, a system which manages trust on behalf of the federation. DFN-AAI connects with each of the university Identity Providers (IdP) systems using SAML 2.0 as the standard for communication. Figure 1 shows the basic relationship.

Figure 1 - the basic communication model for institutions in the DFN federation

Figure 1 – the basic communication model for institutions in the DFN federation

The challenge

The project, named “FedAccs”, had a core goal: to enable FOLIO to use a federation for authentication. To achieve this we needed to find a way to bridge between FOLIO authentication and DFN-AAI, to allow the federation to be utilised during the authorisation process. FOLIO already had a module which provided basic SAML 2.0 integration. We decided the best approach would be to extend the existing module rather than to build a replacement. This way the FOLIO user community would be able to easily benefit from the new features. A review of the module revealed that it lacked three essential pieces of functionality. The ability to:

  • Automatically create FOLIO user accounts for first time users when external authentication is successful
  • Consume identity provider metadata from a federation, rather than just a single institution
  • Allow the user to select their institution’s identity provider to authenticate against

Our prototype not only needed to address these three areas, it also needed to do it in a way which was as seamless as possible for the user.

Figure 2 illustrates the process when a student from GU Frankfurt goes to a TU Darmstadt library for the first time to borrow a book. The user selects “GU Frankfurt” in the FOLIO login screen and enters their login credentials. This is the desired extent of the user interaction. The three technical parties TU Darmstadt, GU Frankfurt and DFN-AAI manage the authentication process seamlessly in the background and a new account is created for the student on GU Frankfurt’s FOLIO platform, enabling the student to borrow the desired book.

model of authentication processFigure 2 – a model of the authentication process

What we did

To meet the first requirement of creating an account in FOLIO when a user authenticates we extended the administrator interface in the module to allow an administrator to opt-in to create accounts automatically using the details from the DFN identity provider. When this option is selected, if the authenticated user does not have a FOLIO account, one is created for them.

For the second requirement, to extend the existing FOLIO module to support federated authentication, we developed a metadata consumer to process data from the DFN federation.  Additionally, because the federation contains hundreds of identity providers, we built a user interface to allow an administrator to select and configure which identity providers should be able to authenticate and create accounts in FOLIO.

Figure 3 – FOLIO SSO settings options, for configuration by an administrator

The third requirement, to allow the user to select their institution when signing in to FOLIO, presented unanticipated challenges. At the time, FOLIO had no patron-facing functionality, the only users of the system were administrators, never students. We needed to be able to present instructions and help text to students and also to be able to test the new login page. In response to this we developed a means of presenting publicly available pages in FOLIO.

Figure 4 - Folio login screen with SSO option, showing searchable set of DFN members

Figure 4 – Folio login screen with SSO option, showing searchable set of DFN members

The FedAccs proof of concept was completed and delivered successfully and is now available for use as a base by any organisation with a need to incorporate federated authentication into their FOLIO installation. The source code is available in ULB-Darmstadt’s public FedAccs github repository.

Future opportunities

The proof of concept focused on authentication, but will also afford many opportunities for features relating to “authorisation”: the process of verifying what services and facilities the user can access. It’s easy to envisage use cases where groups of users need different levels of access to services based on their academic level of study or their subject areas. For example giving science students access to a specialist science knowledge base or for PhD history students access to archives. This type of user group could be created and managed within FOLIO and the assignment of users to groups be made part of the auto account creation.

Right now, ULB Darmstadt takes part in the FOLIO migration project of the hebis (Hessian Library Information System) library network, in which the university libraries of Hessen and Rheinhessen work together to ensure efficiency through the joint operation of infrastructure services and at the same time promote new services in a coordinated manner. An important element of this cooperation is the operation of library management systems. As a result of a strategy process, the hebis members agreed in May 2021 to replace the current library management system OCLC LBS with the open source system FOLIO. As part of the migration project, all state university and college libraries of Hessen and Rheinhessen will first be migrated to FOLIO from 2022 to 2024. FOLIO will be operated in the future via central hosting by the hebis head office. This migration project will certainly make use of the results of the “FedAccs” project.

Further information and useful links

More about our FOLIO involvement, from the K-Int website

Acknowledgements

TU Darmstadt and K-Int would like to thank the Innovation Fund of the Hessian Ministry of Science and the Arts for funding the project.