[Koha] moving from local IP to OpenAthens SSO access - Koha users
Coehoorn, Joel
jcoehoorn at york.edu
Thu Jul 3 08:15:51 NZST 2025
For this to work, you should **already** have functional SSO in your
organization, usually including between Koha and a primary identity
provider, such as MS Active Directory, Google, MS Azure/Entra, or an open
provider of some sort (usually some flavor of LDAP). This might be provided
by something like Okta, Duo, AD FS, MS Entra Enterprise Applications, or
some other SAML or SAS (or even OAuth) service.
OpenAthens then uses your existing SSO service to simplify connecting to
licensed academic services: things like discovery, journals, serial
articles, academic search, etc. You only need to set up the **one**
connection between your SSO service and OpenAthens, and then OpenAthens has
already done the hard work to know how to federate this with anyone else
you might need. This allowed us, for example, to retire an old and insecure
EZProxy service for students to get remote access to our licensed digital
collections. But you need to have the initial SSO going first.
Note Koha does *not* necessarily need to participate in this process at
all. In this scheme, Koha is just one more application, and OpenAthens is
another. Both depend on your SSO connection to an identity provider
separate from each other.
We used to have students connect to Koha via a SAML SSO connection, and
this connection still works, but today students here interact with our
catalog entirely via the EBSCO Discovery platform. The authentication path
between EBSCO and our network is EBSCO => OpenAthens => AD FS (SAML) SSO =>
MS Active Directory. Eventually it will be EBSCO => OpenAthens => MS Entra
Enterprise Application => MS Entra/Azure AD, but that's still a ways off.
The main thing is neither case ever involves our Koha installation.
But that's the student view. Library staff still directly use Koha for
circulation and cataloguing. They authenticate to Koha via SSO, which is
Koha => AD FS (SAML) SSO => MS Active Directory. (And the setup between
Koha and AD FS was **not** simple or trivial, let me tell you). But again:
this is optional. We could give library staff direct accounts/credentials
within Koha, and skip the SSO here.
The point is: you want existing separate SSO infrastructure before starting
with OpenAthens. Then Koha can participate as a service provider/relying
party to use account infrastructure and credentials kept elsewhere. This is
also useful for getting MFA working, which makes the GLBA people happy. But
I'm not sure I've ever seen it act as an identity provider, and its
participation with an OpenAthens integration is a separate thing. I don't
see it as part of the flow between your identity provider and OpenAthens,
or between OpenAthens and other applications. If you're wanting to use
existing accounts (and credentials) in Koha as an Identity Provider (IdP),
it may be possible but I've not heard of anyone attempting it.
*Joel Coehoorn*
Director of Information Technology
*York University*
Office: 402-363-5603 | jcoehoorn at york.edu | york.edu
On Wed, Jul 2, 2025 at 1:24 PM Jeffrey Gabel <jeff.gabel at brooklaw.edu>
wrote:
> Hello,
> Brooklyn Law School is in the process of moving to SSO access with
> OpenAthens. We are wondering if other Koha users who have gone through this
> process could share their experiences and give advice. We are not clear on
> how an automated Athenizing of links in our cataloging will work. We also
> don't have any information about how to deal Athenizing links going forward
> as the catalog's holdings continue to change.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Jeff Gabel
> Acquisitions Librarian
> Brooklyn Law School Library
> 250 Joralemon Street
> Brooklyn, NY 11201
> 718-780-7978
> jeff.gabel at brooklaw.edu
>
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>
More information about the Koha
mailing list