Phase 1 OpenAthens questionnaire for CARLI I-Share members

Save my progress and resume later | Resume a previously saved form

Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

Your Email:

A Password:

Confirm Password:

Password must contain the following:

12 Characters
1 Uppercase letter
1 Lowercase letter
1 Number
1 Special character

Page 1

OpenAthens is a single sign-on service that offers library end users a seamless SSO experience and the benefit of secure SAML access. Library administrators can use OpenAthens to manage group authorizations and access, pull granular usage data, and consolidate both SAML and proxy IP authentication into a single, fully cloud-hosted solution.

This questionnaire outlines the information needed from CARLI I-Share members to configure OpenAthens log-ins to ExLibris Alma and Primo VE.

Name of your CARLI I-Share site:

EBSCO Customer ID:

Name of person in your library who will be point of contact for the OpenAthens setup:

Contact's email address:

Contact's direct phone number:

Page 2

Information about your institution’s Identity Provider, or directory of user accounts.

Please note, your institution's IT or Identity & Access Management (IAM) team may be needed to help answer questions in this section.

The OpenAthens single sign-on service has the ability to connect to existing user accounts. This means that a user’s initial log-in to the SSO service will be with their institutional account – in most cases, the same email or username they already use to log into their school email and so on. Connecting to your institution’s Identity Provider (IdP) is a one-time process. We establish a secure connection and your IT or IdP team release any data attributes needed to OpenAthens.

To connect to your institution’s Identity Provider, we will first need to know where user accounts are stored. Types of IdPs we can connect to OpenAthens include:

Microsoft Active Directory (ADFS or LDAP)
Microsoft Azure
Other SAML-compliant IdP applications, such as Google Suite, PingFederate, Okta, etc.
CAS version 5.x or later

If the library's institution does not use an Identity Provider, OpenAthens can store accounts; select the relevant option below for more information.

What type of Identity Provider does your institution use?

Microsoft Active Directory ADFS or AzureMicrosoft Active Directory LDAPSome other SAML IdP (e.g. Google Suite, PingFederate, Okta, CAS 5.x)My institution does not have an IT-managed directory; we will need to load accounts into OpenAthens

Please provide your IdP's SAML metadata file (.xml file or URL):

If using a URL:

Once your IdP's SAML metadata is ingested into OpenAthens, EBSCO's Implementation team will return to you an OpenAthens SAML metadata file to be configured in your IdP settings as a relying party trust.

Please provide your LDAP server host:

Provide your LDAP server port:

Provide your Admin Bind DN:

Provide your Admin Bind password:

Provide your Base DN:

Please provide your LDAP server's root certificate:

The only data attribute that is required by OpenAthens is some piece of information that can be used to uniquely identify each account, such as an ID number, targetedID, or emailAddress. If privacy is a concern, it is important to know that OpenAthens does not require personally identifiable data. For additional information on these parts of an OpenAthens setup and controls over data release, please see this documentation. Please note, if you plan to use a specific attribute to personalize/identify users in Alma/Primo, OpenAthens must receive that same attribute from your IdP in order to facilitate personalized log-ins to Alma/Primo.

Account creation via Bulk Upload

If your institution does not have an IT-managed directory of user accounts, then EBSCO's team can help load your users into the OpenAthens dashboard to create accounts for them. This process is called a Bulk Upload. Information on Bulk Upload account creation can be found here and here; your EBSCO Implementation team will provide you with an Excel template to list your user accounts on.

Supporting accounts for walk-in users alongside your institutional directory

A common use-case amongst academic libraries is that there is a local directory (IdP) available where accounts for staff, faculty, and actively enrolled students are stored, but that the library requires some way to support log-ins for walk-in users who do not have an IdP account. To support walk-in users, the library has several options:

Continue using IP access for on-campus users, including walk-ins. This can be set up in the library's OpenAthens settings using an IP Bypass. When an IP bypass is in use, on-campus users will continue to use IP access even when they click on an OpenAthens link. In this scenario, OpenAthens will only be the remote access solution, and the library's OpenAthens usage reports will only reflect data for remote usage.
Create accounts on a one-off, as-needed basis within OpenAthens. OpenAthens allows the library to manually create accounts on the fly for walk-in users; the librarian can specify when the account is valid until. There are two types of accounts created in OpenAthens: personal accounts, which are assigned to a single person and can be used on-campus and off; and access accounts, which is a username/password that can only be used within the library, as it is tethered to the library's IP address. Access accounts can be shared within the library because they cannot be used off-campus.

Page 3

Test account from your institutional directory.

If your IT can issue a temporary account from your institutional directory to EBSCO's Implementation team, it can be used for testing during configuration. This is known to make the overall setup process more efficient.

Please provide a temporary username/password for EBSCO use:

Please note, if your library doesn't have an institutional directory you can respond to this question with "N/A."

Page 4

Information to set up OpenAthens log-ins to ExLibris Alma and Primo VE.

Please note, this component may require some assistance from your ExLibris support team. To complete this component, a SAML integration profile will need to be set up in the Alma/Primo VE settings. The following steps outline that process:

In your library's ExLibris Alma and Primo VE administrative settings, create a SAML integration profile and generate SAML metadata. ExLibris' Support team will create this profile using information provided by your EBSCO Implementation team.

For your reference, documentation for how settings are configured for Alma and Primo VE can be found here.
Integration for Alma and Primo VE configured in OpenAthens. Your EBSCO Implementation team will take care of this using information received from ExLibris.

What unique ID attribute should be released to Alma and Primo VE during log-ins?

Your ExLibris support team may be able to assist in identifying the correct attribute. Your EBSCO team will then release it to Alma/Primo VE to support personalized log-ins.

Page 5

Upon submission of this form, your EBSCO Implementation team will work with your library and IT team to complete the aforementioned configuration.

Once completed, your end users will be able to log into Alma and Primo VE using OpenAthens. When someone clicks on “Sign in” in the Alma/Primo VE interface to attempts to access any feature that requires a user to be logged in, they will be prompted to log in through OpenAthens using their institutional account. A single log-in through OpenAthens will represent the beginning of their single sign-on session, so additional clicks to full text options within Alma or Primo VE will not require an additional log-in.

All additional subscribed library content will be set up to use OpenAthens log-ins during Phase 2 of CARLI I-Share libraries' implementations; see below.

Please list email addresses for any additional contacts who should receive a copy of this questionnaire submission:

One email per field.

The aforementioned steps constitute Phase 1 of CARLI I-Share members' OpenAthens implementations. Following the completion of Phase 1, I-Share members will work with EBSCO's Implementation team to complete the remainder of a full OpenAthens setup, including configuring OpenAthens access to the remainder of library subscriptions, tools, and applications. The questionnaire for Phase 2 can be found here.

For additional information and documentation on the OpenAthens service during this time, please reference the following:

OpenAthens documentation
OpenAthens Onboarding Guide, a reference manual for libraries approaching an OpenAthens implementation
Virtual Learning Environment, self-led training courses for new OpenAthens administrators. Please note, an OpenAthens Administrator username is required to log into the VLE; this will be provided to your library by your EBSCO Implementation team once your dashboard is available.
EBSCO-led OpenAthens training sessions, held weekly, open to any participants and covering topics from administration basics to usage reporting

Thank you for your submission! Your EBSCO Implementation team will be in touch soon.

Save my progress and resume later | Resume a previously saved form

Contact Information