Devolved Authentication

This article outlines the methods that we will use to authenticate your users for access to Talis Products.

Introduction

Talis supports devolved authentication for all our products. This is where we ask one of your university authentication systems whether the person attempting to log into our software should be allowed to continue. We are deferring the decision to your university’s identity management systems.

This has the benefit that:

  • We never see or store usernames or passwords for users.
  • Your identity management system can choose what information is released to us about your users.
  • Users who need additional permissions in Talis software can be granted these by your identity management system. This is through a mechanism that we call Devolved Constraints (read the article)

Requirements

To login to any Talis software, you will need to have an identity management system which supports SAML-2. We typically use a SAML-2 Single Sign On (SSO) service using the HTTP-Redirect binding provided by your Identity Provider (IDP).

For example:

  • Shibboleth
  • Open Athens LA
  • Open Athens MD
  • Ping Federate
  • ADFS (Active Directory Federation Services)

If you have another system which you would like to use then do let us know.

We do support Open Athens DA - but there are some limitations inherent in the Open Athens DA service which means that you will not be able to take advantage of Devolved Constraints

You will also be required to release a specific attribute to us. This has a friendly name of eduPersonTargettedID, but the actual name we expect to see is urn:oid:1.3.6.1.4.1.5923.1.1.1.10. The following XML can be seen in our Service Provider metadata. You can read more about the official description of eduPersonTargettedID.

<RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
isRequired="true"
FriendlyName="eduPersonTargetedID"
></RequestedAttribute>

The value in this attribute is often a hash of the following pieces of information:

  • The entity id of your Identity Provider
  • The entity id of our Service Provider
  • The username of the user logging in.
  • A random salt known only to the institution.

Combined with the ‘target’ for example : @university.ac.uk

A full example might be: the-hashed-string-goes-here-@university.ac.uk

This value is used to uniquely identify the user to our systems. This value should not change. If it does change we would treat the user as being a new user. If there is any work that you are carrying out that might mean this value would change, then you should raise this with the support team as soon as possible. There may be work that you will need to schedule in order to ensure that users do not loose access to their profiles, bookmarks, lists etc.

Metadata Exchange

In most cases, if your institution’s Identity Provider (IDP) is registered in a federation, then we can use that as a mechanism to exchange metadata.

We do not use federations to actually provide the login path for users, instead choosing to communicate directly with your IDP after looking up its details in the federation.

If you do need to see our metadata, you can view/download this from here: https://login.talisaspire.com/entity

User login expectations for Talis Products

Talis Aspire Reading Lists

For Talis Aspire Reading Lists login is only required to persist user specific changes in the system. For example a student may choose to capture reading intentions or an academic may choose to edit a list.

Students do not need to login to Talis Aspire Reading Lists to view their reading lists (unless the academic has chosen to make the list ‘private’).

Talis Aspire Digitised Content

Students will need to login to be able to view, print or download digitisations. This is to satisfy the terms of the appropriate copyright licences in effect at your institution.

Back office staff will need to be logged in and verified as users who should have access to the workflow management tools in Talis Aspire Digitised Content.

Troubleshooting

If you need to know what attributes have been sent to Talis Aspire Reading Lists for debugging purposes, then you can do the following:

  • log into Talis as the user for which you want to check their attributes.
  • go to the following location: http://<your-tenancy-base-url>/saml/attributes
  • you will see a ‘dump’ of the values that we are seeing.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk