Federated authentication through OpenAthens / Shibboleth

OpenAthens

Since 2002, ScienceDirect has supported the Athens Access Management system. Athens provides users with single sign-on access to numerous web-based services, and is widely deployed throughout the United Kingdom amongst the Higher Education and Further Education communities and many National Health Service (NHS) trusts.

Over the years, Athens evolved to OpenAthens – and ScienceDirect’s support for Athens/OpenAthens changed accordingly. Since December 1^st, 2012, ScienceDirect supports OpenAthens identity providers through the OpenAthens federation and the UK Federation, which allows users to continue to use their (Open)Athens credentials in a Shibboleth environment. See the section on Shibboleth below for more details.

For more information on OpenAthens , go to http://www.openathens.net/.

Shibboleth / SAML federations

ScienceDirect is an early adopter and vivid supporter of the Shibboleth family of architectures, policy structures, and technologies that allow organizations to exchange information about their users in a highly customizable, secure and privacy-preserving manner.

Increasingly deployed in the academic community, Shibboleth allows end users to access mutiple information resources with one set of credentials and on a single sign-on basis, while providing extensive protection of identity and personal details. Furthermore, Shibboleth allows end users to access their organization's licensed content from outside the organizations physical network.

For institutes that deploy Shibboleth, the main benefit is centralized management of resource access, and integration of access to online, remote content resources with locally deployed authentication systems.

Organizations – both content providers and their customers - that have adopted Shibboleth work together in so-called federations. A federation defines what set of rules for the deployment of Shibboleth is used by its members, thereby allowing the customization of the Shibboleth concept to meet the needs of that particular group of organizations.

Since 2004, ScienceDirect has been a member of the InCommon federation in the United States, and in July 2005 expanded its service to be able to support other federation memberships as well. ScienceDirect is increasingly joining federations in other parts of the world, offering Shibboleth to an ever-growing number of our customers.

How to construct Shibboleth authentication links to ScienceDirect

(This also applies to OpenAthens)

Introduction

Typically, a Shibboleth session is initiated by a Service Provider (SP) issuing a Shibboleth Authentication Request to the user’s Identity Provider (IdP), either directly or via the federation’s WAYF (“Where Are You From”) page. On ScienceDirect, this is implemented via the “Institution Login” link on the ScienceDirect homepage, then via ScienceDirect’s local WAYF implementation where the user can select a federation and institution, before being redirected to their chosen institution’s login screen. However, it is also possible to let users log in to ScienceDirect through an institution’s IdP directly from a library page, OPAC, or any other website without them having to go to ScienceDirect first, by building Authentication Request URLs yourself. This removes a few steps in the login process, and makes it far more intuitive for users to get to ScienceDirect under federated authentication using Shibboleth.

Implementation

What Identity Provider to use

To implement direct Shibboleth login functionality from your website, you need to build Shibboleth Authentication Request URLs that direct the user to the login page of your IdP. These URLs identify ScienceDirect as the target Service Provider and include the specific ScienceDirect target URL you would like the user to land on after authentication. These links will force any user clicking on them to first enter their institute's credentials before going into ScienceDirect, or, if they are already logged in to your authentication service, they will be transparently re-directed to ScienceDirect and be given access.

For institutions that use OpenAthens, the IdP is run and operated by Eduserv. This means that in the URL syntax below, the entity ID that needs be used is the identityID of the IdP that Eduserv operates for each separate NHS region/organization. Some major NHS IdPs are:

• https://idp.scot.nhs.uk/openathens - NHS Scotland
• https://idp.eng.nhs.uk/openathens – NHS England
• https://idp.wales.nhs.uk/openathens – NHS Wales

For information about what IdP your organization is mapped to, please contact Eduserv.

URL Syntax

The generic syntax of WAYFless URLs:

https://auth.elsevier.com/ShibAuth/institutionLogin?entityID=[IdP_ENTITY_ID]&appReturnURL=[ELSEVIER_TARGET_URL]

… where [IdP_ENTITY_ID] is the URL-encoded entityID of the Identity Provider (this example is a non-existent IdP)…:

https%3A%2F%2Fidp.test.elsevier.com%2Fshibboleth

… and [ELSEVIER_TARGET_URL] is the encoded URL to any bookmarkable ScienceDirect resource:

http%3A%2F%2Fwww.sciencedirect.com%2Fscience%2Farticle%2Fpii%2FS0011384011002164

For example:

https://auth.elsevier.com/ShibAuth/institutionLogin?entityID=https%3A%2F%2Fidp.test.elsevier.com%2Fshibboleth&appReturnURL=http%3A%2F%2Fwww.sciencedirect.com%2Fscience%2Farticle%2Fpii%2FS0011384011002164

In principle, all ScienceDirect URLs can be used as target URLs, however it is safest to use ScienceDirect’s published set of persistent “Short Cut” URLs to link to specific pages in the site as these are guaranteed not to change (again - bear in mind to use the https:// prefix). For more information on persistent ScienceDirect URLs, go here.