"we also give koha login credentials to them, ... share the username and password fields for other external services."

Done properly, services like Koha **do not store any actual passwords**. They only store salted and hashed mutations of the original passwords. When you try to log in, the service will then make the same adjustments to the attempted password and compare the hashes, rather than the passwords. This protects users; in the event of a data breach, you haven't also given up credential information that may be shared with other sites, and when the service is restored users can still initially login to protected accounts. This is standard practice for ANYTHING handling credential information. If you find a product storing bare passwords, that's enough of a reason on its own to pick a different product. Therefore it's not enough for other services to know where to look in koha to find your credential information. They also need to know the salt used for each user, the hashing algorithm used, and the tuning level from the algorithm, in order to replicate the password hashing process. This information is typically *not shared*. Instead, single sign-on (SSO) services implement well-defined protocols like Shibboleth, SAML, or OAuth, so the destination service provider (aka relying party) can redirect to the identity provider's login page for credential validation, and then once logged redirect back with an authentication token. Koha does not directly implement the protocols needed to be an identity provider. It doesn't even directly implement the protocols to be a service provider/relying party. Those of us who use that feature need to install and configure a separate SimpleSAMLPhP Shibboleth package in Apache. You *might* be able to get that package to also act as an IdP, but I doubt it. I've setup more than a dozen other service providers to use our AD FS IdP, and Koha was by far the hardest to get working, and even then this is only possible when the other applications have support for this built into the product. *Joel Coehoorn* Director of Information Technology *York University* Office: 402-363-5603 | jcoehoorn@york.edu | york.edu On Wed, Oct 18, 2023 at 12:14 AM Rupinder Singh <jessedhammu@gmail.com> wrote:

Hi, I am thinking I can use koha as an identity provider for other Librayr services like repository and off-campus remote access, etc. Because, In koha, we usually already have complete details of our patrons, and we also give koha login credentials to them, I was thinking if we use the borrower table from the database, and share the username and password fields for other external services. just a thought, please give your views on this possibility.

Thank you Rupinder Singh _______________________________________________

Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha