Posts Tagged ‘EZProxy’

Using EZproxy to handle passworded library resources (replaces “Form Capture Utility”)

Posted on March 6th, 2013 by Paul Stainthorp

A small number of our electronic Library resources, rather than using a sensible(ish) authentication method (such as IP authentication or federated access, both of which enable a user to log in with their University of Lincoln account), instead have their own single generic username/password, which all users must use to access the resource.

These resources tend to be smaller magazines and professional membership services, which aren’t really aimed at academic libraries, but which nevertheless our users are entitled to access.

In the old days we kept these generic usernames/passwords on a sheet of paper; later a secure web page which students and staff could log into to look up the password they needed.

Screenshot from the Form Capture Utility

Since 2005, the University of Lincoln has provided access to these resources using a “Form Capture Utility“, developed by ICT Services and running on the University Portal. This system hides the username/password from the user and logs in on their behalf. This means that generic passwords are kept secret (reducing the risk that they could be “leaked” to non-students), and has the benefit that users get one-click access to the resources, without having to look up a password from a list and fill it in themselves.

We’re now starting to phase out the Form Capture Utility, instead using EZproxy to protect access to these generic-passworded resources. The EZproxy mailing list and documentation have been very useful in helping us work out how we can use EZproxy to replicate the functions of the FCU. Using EZproxy rather than the Form Capture Utility will mean one less system to maintain, and simpler, more consistent logins for users of the library.

Technical note: this method of access via EZproxy involves using Google Chrome’s developer tools—or similar—to analyse the resource’s login method. EZproxy then provides “stanza” configuration commands for injecting the generic username/password into each resource. There are two different ways of doing this, depending on the nature of the resource. The first is simple and fairly stable, but requires that you access the resource via as specific login point. The second method is more complex, relies on JavaScript, and is more brittle (i.e. liable to break easily) – but users can link to the resource from any point e.g. using this EZproxy bookmarklet rather than having to use a special login link. Again, the username/password details are hidden from the user, and they get one-click access to the resource.

A list of the updated resources is below. Please contact me if you have any questions or comments about these new login links. As long as they prove stable, the library website and e-journals A-to-Z will be updated to use the new links.

The Form Capture Utility will then be withdrawn.

Resource

Old login link (Form Capture Utility)

New login link (EZproxy)
Leisure Recreation and Tourism Abstracts (A&I) [link] [link]
Factiva Academic [link] [link]
Leisure Management [link] [link]
TRADA (Timber Research and Development Association) [link] [link]
frieze [link] [link]
Media Lawyer (Press Association) [link] [link]
IHS Technical Indexes [link] [link]
Fresh Produce Journal [link] [link]
Campden BRI [link] [link]
Food Technology [link] [link]
Journal of the American Veterinary Medical Association [link] [link]
IDS [link] [link]
Children & Young People Now [link] [link]

Tags: , , , , , ,
Posted in Uncategorized | (0) Comments | Click here to add a comment »

Better authentication and linking to Factiva

Posted on November 27th, 2012 by Paul Stainthorp

The University of Lincoln provides access to Factiva Academic, a “business intelligence” database of more than 8,800 international sources including major newspapers, newswires and a wide selection of journals. Factiva is especially useful for finding company/industry information and business news.

For the past eight years, we have used a kind of ‘form capture‘ authentication to log in to the Factiva homepage. This created a ‘faked’ URL for Factiva, hiding the username and password (in effect, it pasted the Factiva login details into an HTML login form on the user’s behalf and hid the authentication from public view). This meant it was impossible to link directly to a specific Factiva journal/newspaper from the e-journals A-to-Z, or from a search in Find it at Lincoln.

Factiva now uses a more standard login tool, which means that links from the A-to-Z/Find it at Lincoln will take you directly to articles within a specific title. (Example: the Lincolnshire Echo). This new method of access uses EZproxy. You can log in to Factiva via the new method using your University of Lincoln accountID and password.
Screenshot from EZproxy login

For help with using Factiva, please contact your subject librarian.

Tags: , , , , , , , , , , , , , , ,
Posted in Uncategorized | (0) Comments | Click here to add a comment »

EZproxy crib sheet for Library staff

Posted on October 24th, 2012 by Paul Stainthorp

Recently Elif and I gave a workshop for our e-Library Services colleagues on EZproxy: what it is, how it works, and how we’re using it at Lincoln. Here are our workshop notes.

  1. EZproxy is e-resource authentication software, provided by OCLC, which we host on a server here at Lincoln. It’s very cheap (small annual subscription cost + maintenance of the server). Our EZproxy service is at: http://proxy.library.lincoln.ac.uk/
  2. It works by rewriting the URLs of e-resources, so that they go through a *.lincoln.ac.uk domain see examples of this below. This ‘tricks’ the e-resource provider into thinking that the user is on campus (i.e. that they are within the University’s IP range). So, it only works with e-resources that are IP-authenticated.
  3. EZproxy has nothing to do with OpenAthens or other kinds of federated authentication. It’s an entirely separate method of access, useful when it’s difficult or impossible to make OpenAthens work properly and consistently (e.g. via the Electronic Journals A-to-Z). However it doesn’t offer the same flexibility/personalisation as federated authentication.
  4. Our EZproxy service is protected by a University secure sign-in screen. Currently this piggybacks off Blackboard authentication. It can also inherit authentication from the University Portal, as well as its own local login screen, which we’re not using. Users sign in with their standard University of Lincoln accountID and password. If the user is already logged in to Blackboard or the Portal, they will be passed through to the resource automatically and won’t have to log in again.
    Screenshot of the sign-in screen
  5. Once you have signed in to http://proxy.library.lincoln.ac.uk/, you’ll see a list of all the e-resource platforms that are currently set up to use EZproxy. All of these resources currently set up to use IP authentication (solely, or in addition to another method). Users won’t generally see this menu screen as they’ll usually be clicking on a link directly to a specific e-resource.
  6. When we update the IP ranges that a resource provider holds on file for us, we need to include the IP address of EZproxy. Before we disclose our IP ranges to a provider, we ask them for written assurance that they will only use our IP ranges for user authentication. These details are held on file in a Portal site shared with ICT services.
  7. URLs for authentication via EZproxy (from Blackboard, the A-to-Z, etc.) are generally in the form:
    • http://proxy.library.lincoln.ac.uk/login?url={URL}
  8. However there’s a special URL format for links from the University Portal:
    • https://login.proxy.library.lincoln.ac.uk/login?url={URL}
  9. Publishers’ URLs to e-resources which are stored in the A-to-Z/LinkSource knowledgebase are rewritten to go through EZproxy using the A-to-Z’s “proxy mask” feature (which is like a template for re-formatting URLs). Find it at Lincoln also re-formats a number of internal URLs so that users are routed via EZproxy.
  10. EZproxy resolves the above URL formats into final URLs like these:
  11. There is an admin site for maintaining EZproxy. Access to this admin site is restricted to only a few people (EV, PS, DM, TS), and the site is available on campus only. To configure EZproxy to work with each additional e-resource, we have to download a configuration text file from the admin site, and edit it to add a new database “stanza” (a short piece of configuration text).
  12. There’s a general format for writing stanzas for electronic resources – in addition, some databases have additional weird requirements for stanzas (OCLC maintain a list of oddities). If all else fails, we can ask on an EZproxy mailing list, or on Twitter!
  13. Once we’ve added a new stanza (or changed an existing one), we re-upload the config file, and re-start the EZproxy software from within the admin site. Then we test the new resource from off campus before creating links from the A-to-Z, etc. The admin site provides an archive of previous versions of config.txt in case we need to roll back a mistake.
  14. EZproxy stores usage data (in the form server logs) – we’re not doing anything with this data at the moment, but we are looking at archiving it off to a ‘Data Warehouse’ and analysing/reporting on it within the Library. RAPTOR is a JISC-funded, free-to-use, open source software toolkit for collecting and reporting on authentication usage – Elif is writing up a report on RAPTOR.
  15. Our own JISC-funded Linkey project is looking at streamlining all authentication systems including EZproxy under a joint OAuth-Microsoft UAG (Unified Access Gateway”) framework. Alex Bilbie blogs regularly about how authentication to Library resources could be served in such a framework.
  16. If you have any questions about EZproxy please contact Elif or me!

Tags: , , , , , , , , , , , , , , , , ,
Posted in Uncategorized | (0) Comments | Click here to add a comment »

EZproxy bookmarklet-powered stable journal URL hacking for fun and profit

Posted on September 26th, 2012 by Paul Stainthorp

Here’s an idea I stole from technologist Phil Wolstenholme. See his website for a clearer explanation: http://wolstenhol.me/ezproxy/

It’s a bookmarklet which can be used to re-write stable/persistent journal URLs so that they’re passed through the University of Lincoln’s library proxy authentication service (EZproxy). You can then use the re-written links in Blackboard, reading lists, web pages, etc., with the confidence that University of Lincoln students will be able to access the resource, on- or off-campus, using their University login details.

First you’ll need to drag the below link up to your browser’s bookmark/links bar…

Drag the above link to your bookmark bar
Screenshot of the bookmarklet

…then visit a journal/article/e-resource on the open web, and click the bookmarklet button. At this point one of two things will happen.

1. Either:

If you use the bookmarklet on one of the e-resources that we have set up to use with EZproxy, it will re-write the URL to go via a University login. Examples:

If you’re not already logged in, when you proxify the URL (and when your users subsequently try to access the resource), you’ll see the standard University of Lincoln secure sign-in page.
Screenshot of the secure sign-in page

You can now copy-and-paste the rewritten URL and add it as a link in Blackboard or a reading list.

2. Or:

If you try and use the bookmarklet with a journal/resource that doesn’t work with EZproxy (i.e. one that isn’t on this list)—either because we just don’t have access to it at Lincoln, or because it’s not currently set up to work off EZproxy/IP authentication—then you’ll probably see the following error:

To allow http://www.foobar.com/ to be used in a starting point URL, your EZproxy administrator must first authorize the hostname of this URL in the config.txt file.

Within this database’s section of config.txt, either the following line must be added:

Host www.foobar.com

or, alternatively, a RedirectSafe for this host or domain may be appropriate.

After editing config.txt, the EZproxy server must be restarted to make changes take effect.

If that happens to you, please tell me about it.

As an aside, I’d really like to see this functionality added to lncn.eu, our home-grown URL shortener. That is, if a user tried to minify a resource URL from a ‘whitelist’ of domains derived from the EZproxy /config.txt file, lncn.eu would respond with not one, but two shortened URLs, one of which would have been rewritten to go via EZproxy.

Tags: , , , , , , , , ,
Posted in Uncategorized | (1) Comment | Click here to add a comment »

Authentication and full-text linking within Find it at Lincoln

Posted on September 19th, 2012 by Paul Stainthorp

Find it at Lincoln has now been set up to behave in the following way:

1. From the search box and link on the Library website (library.lincoln.ac.uk):
Screenshot from the Library websiteScreenshot from the Library website

  1. On a University PC on campus – Find it at Lincoln will recognise the University IP address, and provide the user with a complete, “logged-in” version.
  2. From off campus, the user will be presented with a guest version of Find it at Lincoln. 99% of the functionality of Find it at Lincoln is provided to guest users – at the moment, only access to the full text is excluded. This means that members of the public, prospective students, peripatetic researchers, etc., can examine our collections. From this point, University of Lincoln students and staff can log in, either:
    • By clicking on the “Login for full access” message;
      Screenshot from Find it at Lincoln
    • Or by clicking on one of the “Full Text” options* underneath a search result.
      Screenshot from Find it at Lincoln
    • In both cases, the user will see a University of Lincoln secure sign-in screen where they can log in using their accountID and password. This is using EZproxy to mimic on-campus access, and is a redesigned version of the old Blackboard-style EZproxy login screen.
      Screenshot of secure sign-in
    • (*The options “HTML Full Text” and “PDF Full Text” will take the user to an article held by EBSCO within Find it at Lincoln. “Find Full Text” will invoke the link resolver and display links to external full text – or, if possible, take the user directly to the full-text article, bypassing the link resolver menu.)

2. From the Library tab on Blackboard

The search box which is now available on the Blackboard Library tab will inherit the Blackboard login and pass it on to Find it at Lincoln (via EZproxy), so that the user has the complete, ‘logged’ in version of the application. They should not need to log in again to access most full text articles.

Screenshot from Blackboard

Tags: , , , , , , ,
Posted in Uncategorized | (0) Comments | Click here to add a comment »

The end of an authentication era: goodbye “AVAILABLE ON CAMPUS ONLY”

Posted on August 3rd, 2012 by Paul Stainthorp

For as long as I’ve worked in the Library at the University of Lincoln, a significant minority of electronic resources have only been available to use on library PCs, on campus. They allowed no Athens or other Portal login, and were authenticated solely by the IP addresses of the university’s computer network.

Like a red cross on the door of a plague victim, we marked these resources with the subtle message “AVAILABLE ON CAMPUS ONLY“. You might have noticed the bold, and the red, and the BOLD RED ALL CAPS!!!, just in case you were in any doubt about the awfulness.
Available On Campus Only
Fig 1. The horror… the horror…

Thanks to our new EZproxy service, the last of these messages has been consigned to the dustbin. All University of Lincoln library electronic resources are now available irrespective of your location*. On the odd occasion, off-campus access might still be a little bit more troublesome than on-campus, but we’re working hard to eradicate these differences next.

Here’s a selection of the e-resources that are newly accessible off campus for the first time:

The Portal and e-journals A-to-Z have been updated with access to these resources via EZproxy.

(Technical note: links from the University Portal to e-resources via EZproxy have a special format:

https://login.proxy.library.lincoln.ac.uk/login?url=…

…instead of:

http://proxy.library.lincoln.ac.uk/login?url=…

This allows EZproxy to inherit the authentication session of the Portal and pass the user straight through to the e-resource, without their having to log in again.)

EZproxy has also now totally replaced our previous, home-grown proxy tool, LibResProxy (http://libresproxy.lincoln.ac.uk/). LibResProxy was a CGI proxy application which mimicked IP-based on-campus authentication. This service is no longer being used for access to any library resources, and it will shortly be switched off. So no more screens like this one:
Screenshot of LibResProxy

*Oh, all right: there’s always the odd awkward exception. There are a couple of streaming video services that, for licencing rather than technical reasons, are only available to view in the UK (BoB National) or in the Library itself (the BFI’s Screenonline). But let’s not allow them to spoil the moment.

Tags: , , , , , , , , , , , , , , ,
Posted in Uncategorized | (0) Comments | Click here to add a comment »

Imminent domain

Posted on May 4th, 2012 by Paul Stainthorp

With various new services arising out of the ongoing Library ICT systems review, we’re amassing a nice little collection of library-related 2nd-level subdomains. Here’s a list, which I’ll edit as they become live.

  1. http://library.lincoln.ac.uk/ (i.e. the ‘bare’ library subdomain: this isn’t used at the moment, but we intend that it will become the Library’s ‘root’ web presence)
  2. http://www.library.lincoln.ac.uk/ (currently used for our SirsiDynix Horizon Information Portal OPAC, which we intend to move to catalogue.library… in order to free up www for our web pages hosted on WordPress)
  3. http://catalogue.library.lincoln.ac.uk/ (the future home of the library catalogue)
  4. http://catalog.library.lincoln.ac.uk/ (an alternative/US spelling of catalogue)
  5. http://findit.library.lincoln.ac.uk/ (a launch point for our new Discovery system, still to be announced, and with a name yet to be decided!)
  6. http://lists.library.lincoln.ac.uk/ (Talis Aspire reading lists, currently being developed)
  7. http://archives.library.lincoln.ac.uk/ (Axiell Calm archives and special collections software)
  8. http://jerome.library.lincoln.ac.uk/ (Jerome is our innovation platform and a home for experimental search services, being re-developed as part of the CLOCK project)
  9. http://auth.library.lincoln.ac.uk/ (OpenAthens LA v2.1 authentication software)
  10. http://proxy.library.lincoln.ac.uk/ (EZProxy authentication software)
  11. http://guides.library.lincoln.ac.uk/ (LibGuides software)

We also have two core systems which aren’t on the library subdomain:

  1. http://eprints.lincoln.ac.uk/ (the Lincoln Repository on EPrints – it’s appropriate that this isn’t on library, as we’ve always managed the Repository as a shared/collaborative project between CERD, ICT services, the Library, and the Research Office)
  2. http://ill.lincoln.ac.uk/ (CLIO inter-library loans software)

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in Uncategorized | Comments Off

Authentication from E to Z

Posted on March 2nd, 2012 by Paul Stainthorp

As part of our authentication review project (more about which soon), ICT services are helping us to set up and configure EZproxy as a supplementary/complementary system for providing access to third-party e-resources. Several universities have identified EZproxy as a useful (albeit quick ‘n’ dirty – and not uncontroversial) tool for circumventing some of the problems of authenticating to deep-linked resources from within discovery tools/link resolvers.

We’re securing the subdomain http://proxy.library.lincoln.ac.uk/ for EZproxy. Login URLs for e-resources via EZproxy will be in the form: http://proxy.library.lincoln.ac.uk:2048/login?url=XXXXXX, where XXXXXX is the URL of the target resource (this will allow us to create a simple, generic ‘proxy mask’ for the e-journals A-to-Z/Find it @ Lincoln).

It’s not a live service yet, and not accessible from outside the University network, but here are some examples of our e-resources accessible via EZproxy in a test (Windows 7) environment. Login is via normal University of Lincoln accountID and password.

The test box is allowing us to try out various EZproxy ‘stanzas’ (a.k.a. ‘database definitions‘ – bits of text used to configure EZproxy to work with a given service). Here’s an example of an EZproxy stanza.

Some useful EZproxy links:

We’ve also had a few meetings now about the authentication review process, and a plan of sorts is emerging. Our needs ought to tie in with (and help to inform) some work going on between ICT and CERD on the use of OAuth 2.0 and the Microsoft Forefront Unified Access Gateway (UAG). We’ll also be looking again at the way we use OpenAthens as a gateway to resources via the UK Access Management Federation.

Tags: , , , , , , , , , , , ,
Posted in Uncategorized | Comments Off

E-journal authentication behind the mask

Posted on November 16th, 2011 by Paul Stainthorp

This blog post is an attempt to elaborate on a problem with managing on/off campus access to electronic journals at the University of Lincoln. It’s a problem which confuses a lot of our users. I hinted at the issue in an earlier blog post.

Underlying the problem is a lack of consistency in the way e-journal platform providers/publishers implement Athens/”Shibboleth” access to their content.

I think the answer to this problem is “…use EZProxy as well or instead“. (We plan to do so.) However if anyone from a ‘strong’ federated-access position can suggest a way around the problem based purely on honest, SAML-based principles, then I’m all ears!

~~~wavy lines~~~

The system we use to manage access to e-journals at the University of Lincoln is EBSCO’s electronic journals A-to-Z. Within its underlying journals knowledgebase, the A-to-Z stores a URL for each journal – here I’ll refer to that URL as A.

The A-to-Z also provides the facility—a very nice facility, as it happens—to rewrite that URL according to a set of predictable rules, generating a new URL which is a function of the original URL: in my pseudomathematical shorthand I’ll call this f(A).

EBSCO call this facility of theirs a “Proxy Server”. Now – I could be being thick, but I don’t think this is a proxy server: it’s a URL rewriting application which merely happens to be used by some libraries to redirect traffic via a URL-rewriting proxy (such as the aforementioned EZProxy); in fact it can be used to ‘mask’ any URL.

We use the so-called “Proxy Server” facility to mask the default URL, A, and instead direct the browser back to the OpenAthens authentication point for the journal provider/publisher (allowing authentication both via the UK Federation and trad. Athens), with a redirect back to the post-authentication page for the journal. We’ll call that page A′ (i.e. “A prime”). A′ permits access to the full text of the journal.

Flowchart of URL masking and authentication workflow

N.B. it’s only possible to do this at all if the Athens/UKAMF authentication point for the journal has a predictable structure. If A′ includes any randomly-generated or unknown elements that aren’t in A and which vary from journal to journal, then A′ can’t be generated by f(A) – so some providers rule themselves out at the first hurdle. Bonjour, most legal databases! Yeah, you know who you are…

If it isn’t possible to create an A-to-Z “Proxy Server” URL mask, then our usual fallback position is to rely on IP authentication for on-campus traffic, but to instruct the user to manually select an Athens/’my institution’-type login for off campus access. This is not ideal: it confuses off-campus users who are used to seamless on-campus access, and it requires that we create help guides—I name and shame thee, Elsevier ScienceDirect—to lead people through often terribly confusing login procedures.

Flowchart of authentication workflow with on- and off-campus differences

There’s another complication: some journal providers, upon Athens-esque authentication from A, don’t send the user to A′. Instead, they redirect to a generic post-authentication page, D.

This = Bad. If you do this, I… just… can’t speak to you right now.

If we don’t (or can’t) apply a URL-rewriting mask in the A-to-Z for a journal package which exhibits this awful behaviour, then we’re relegating off-campus users to a third-class service; further widening the gap between on- and off-campus behaviour. If we do apply a mask, we relegate all users to the same lack of functionality. Which compromise do we choose? We’re damaging the user experience in both cases. [Click the diagram below to embiggen.]

Flowchart of complex authentication workflow for masked and non-masked journals

Finally, and for the sake of completeness, I think that this [below] would be the equivalent flowchart for EZProxy. (You can see why some libraries—and apparently their users—find it attractively simple. It also has the advantage that the ’masking’ is consistent across all or most journals, the configuration for each e-journal provider being done within EZProxy itself.)

Flowchart of the authentication workflow using EZProxy

Last word – here’s a useful page from Eduserv of Athens-authentication deep links for various e-resource providers. It may be helpful in creating masked URLs for Athens-authenticated journals.

Tags: , , , , , , , , , , , , , , ,
Posted in Uncategorized | (4) Comments | Click here to add a comment »

« Older Entries