35min | CO Update on Shibboleth / Single-Sign On with Primo | David Walker | - Marcus Mizushima from the Chancellor's Office joined the meeting
- Shibboleth Overview:
- Shibboleth leverages an existing authentication mechanism (Shibboleth itself doesn't store usernames and passwords)
- Each campus decides the best source for their authentication system (e.g., Active Directory)
- When an application is configured to use Shibboleth, Shibboleth allows the user to authenticate and pass along additional information to the application
- e.g., Not only do I want the userID, but I need the user's email address to authenticate
- What if campus authentication mechanism does not provide user attributes?
- Shibboleth returns the user's UserID which then matches with existing user profile information
- Shibboleth has the ability to perform authentication against a source and retrieve attributes from a source
- e.g., authentication against AD, but then go to PeopleSoft and retrieve attributes from PeopleSoft
- Campuses may have done this differently. Marcus can send a list of things that are required (name parts, email address, telephone numbers optional, affiliation (fac/staff/student), employeeID, unique identifiers in case users are not in PeopleSoft)
- No requirement to include active / non active status for students; but employees must have element if they have separated from the institution
- There are two parts we need to figure out:
- first: Alma will need user information first from PeopleSoft / Student Information Systems (SIS) loaded in on a regular basis;
- second: Shibboleth configuration for logging into Primo
- We have an opportunity to test this out early with the Vanguard campuses (San Jose, Northridge, and Fresno)
- Question: How to get data from campuses / PeopleSoft into Alma
- Fresno: manual process - data files are retrieved from campus information systems
- Two staff members that process the files and load them into Sierra
- Beginning the semester, once mid-semester, and then it repeats itself
- Not a daily / automated process
- Believe it's a CSV file delivered via email
- LDAP authentication; also use secondary layer with patron API
- Checks patron API to see patron type and expiration date
- Talks for Identity Management Solution underway - potentially purchased Microsoft product?
- Will involve a few different staff
- Northridge: semi-manual process
- student information semi-automated as a tab-delimited file that is delivered to an FTP directory and further processed by scripts
- Authentication: Campus LDAP with Millennium patron API similar to Fresno
- Barcode not stored in PeopleSoft
- San Jose:
- Believe files are delivered monthly
- Authentication done through the Millennium patron API (ILLiad)
- First task: Set up Shibboleth authentication for at least one (if not all three) campuses in the Vanguard load
- Each vanguard campus needs to reach out to campus IT to schedule a call to discuss this
- Schedule two different meetings: one about Shibboleth with Renaldo, Micah, and Lauren and each campus' primary identity contact as well as Marcus (Suzanna and Brian will also join)
- Second Task: Try and get patron data from one or more of the campuses
- Marcus can get a list of primary identity contacts for all of the campuses
|