Jerome McDonough

Success Story: Single Sign-on Enters Realms of Reality at NYU

During 2004, ScienceDirect staff worked with the libraries of Dartmouth College, New York University, the University of California, San Diego, and the Dahlgren Memorial Library at Georgetown University Medical Center, Georgetown University Information Services, to pilot Shibboleth technology on the ScienceDirect platform. Pilots were a resounding success and since the end of last year Shibboleth authentication has been available for ScienceDirect customers in the US. Library Connect caught up with Jerome McDonough, Digital Library Development Team Leader at the Elmer Bobst Library, New York University, to find out about his experiences in implementing Shibboleth at NYU.

LC: What made you decide to look into Shibboleth authentication?

Jerome McDonough: Our first push towards Shibboleth was a project with New Word Records to provide access to their complete catalogue of music as an online subscription service. New World Records wanted to provide users with varying levels of service (e.g., a faculty member may be able to download music whereas an undergraduate might not). They wanted to be able to remember users between different uses of the database, so when someone is using the database they can set up a series of play lists that can be accessed at a later date. And they wanted to be able to do this for a number of different users, accessing the system from a variety of institutions. The need to identify different classes of users, from different institutions, and to offer differential service, while leaving in place the sort of privacy controls that libraries would expect for their user base, meant Shibboleth was the way to go.

We knew about other potential benefits of Shibboleth in terms of addressing issues of single user sign-on to a variety of systems and that also gave us a push to get Shibboleth up and running.

LC: Is Shibboleth something that interested NYU as a whole, beyond the library?

McDonough: Yes, definitely. That’s one of the areas where we’ve seen more payback than we thought. Now we have the framework in place, we’re starting to look at it for use with a variety of homegrown systems.

“Can’t you make it so I just log in once and then I get access to all of these resources?” is a familiar complaint to library and central campus IT. Using Shibboleth we can make this happen. A user can log into the Database of Recorded American Music, a local system, and move to ScienceDirect without needing to log in again. Already authenticated as NYU users against our own system, that authentication carries over to Elsevier. It’s a huge win: We can offer our users the ability to sign in once. They don’t have to remember multiple passwords, IP spaces or proxy servers. And we don’t have to provide IT support for that.

LC: You’ve obviously implemented Shibboleth for systems beyond ScienceDirect. Have you been working with other publishers?

McDonough: Elsevier is the only publisher so far. Our efforts have focused

on implementing Shibboleth for local systems and setting up other universities as Shibboleth users for resources like our Database of Recorded American Music. We’ve become a publisher in that regard — providing access to universities using Shibboleth and allowing their users to log in to our system.

LC: When you first started implementing Shibboleth what were the practical things you considered from the library’s perspective?

McDonough: It’s not really something we thought hard about at the time but as we move toward a system in which we’re providing authentication services for faculty, students and staff we find we’re interacting with central campus IT services in a way we never have before — asking for access to, and changes to, their entire campus directory system to support new attributes we want to put in place. Implementing

Shibboleth has forced the library to take an enterprise view of the systems it puts in place, and we now interact more strongly and more regularly with campus IT.

LC: That must offer benefits?

McDonough: Overall, it’s been a definite plus. We have closer relationships in place and day-to-day business goes a lot more smoothly. There’s always a learning period though, while you get used to each other’s styles and figure out what each group can and can’t do.

We have a great campus IT organization — interested in learning the library’s needs and quick at figuring out what we want to deliver to our users. They’ve been just as enthused about Shibboleth as us.

LC: Now that Shibboleth is available, how are you promoting it to your users?

McDonough: We’re trying to make this process as seamless and invisible to users as we can, operating on the assumption that ultimately they don’t care much about how they are authenticating. They do care that it’s easy and they care about control of their personal information and how it’s released. We haven’t yet done much work in terms of opening up users’ information or giving them the tools to control its release.

As we move forward, we’ll start advertising these aspects to faculty and students but until we have the tools in place to allow users to successfully manage their own information, we’re not going to release much attribute data. So far, we haven’t done any aggressive campaigning and we’re going to wait until we have these tools before any major push to deliver Shibboleth services outside of NYU.

LC: Have you had any feedback so far?

McDonough: A few comments. The one negative we’ve heard relates to the fact that the Shibboleth authentication process involves a variety of http redirects between various servers; this can be confusing to the user when trying to get in for the first time. Other than that we haven’t heard many complaints and we’ve modified content on the authentication Web pages to make it clearer where the user is in the process, and why they are moving around.

LC: It sounds as though your experience of Shibboleth has been really positive. Would you recommend it to other libraries?

McDonough: Definitely. The more people adopt Shibboleth, the greater the benefits for all of us. One key thing people need to pay attention to: Shibboleth really is an enterprise level authentication mechanism. It’s difficult to implement on a minor test basis. Libraries have to view this as collaboration with the entire university. To have the directory information available for the Shibboleth authentication systems, you must have access to the central campus directory. If you want to incorporate new attributes into the central campus directory, all of a sudden it’s no longer just a question for the library. Can the IT people support it? How will the information to be collected? How will it get into the directory system? Shibboleth affects the entire campus.

Issues around policies on release of attributes must involve inclusive discussions about what information might be available through a directory service. Is there information that can’t be made available? In the NYU context it’s not just the Bobst Library that might use the technology, there’s also the medical library operating under HIPAA legal constraints. What’s applicable to us may be problematic for them.

ScienceDirect can currently support one federation at a time, but as the international interest for Shibboleth increases — federations already exist in Switzerland, Finland and The Netherlands — the need for ScienceDirect to support multiple federations will become essential. Over the past year, we've worked with various communities to determine how we can best help users navigate in a world of multiple federations. As a result, we will implement support for multiple federations on ScienceDirect in July 2005, and we're looking forward to working with many more of our customers to make Shibboleth a reality for users of our content across the globe. — Niels Weertman, Product Manager, ScienceDirect, Elsevier, Amsterdam, The Netherlands

LC: Any advice for libraries thinking about Shibboleth?

McDonough: We found it useful starting with a pilot project with a relatively small user base. It allowed us to work on getting bugs out of the system before we had a huge number of users signed on. Launching with a local information service and providing information within your local community allows you to put mechanisms in place, play around with them, and get control of the different parts of the system. Then you can move on to a project supporting a larger user base.

LC: Anything else to highlight?

McDonough: One area which was a little more time consuming than we anticipated, was preparing to join the InCommon Federation. Ensuring compliance with the federation's requirements meant working with our legal and IT departments to make sure we had appropriate policies and procedures in place for managing and protecting user information.

LC: Have you carried out usability testing for Shibboleth?

McDonough: We’re in the middle of that now actually. The Mellon Foundation funded our work on the Database of Recorded American Music and they require usability testing of the whole system. Shibboleth authentication is part of that. We’re hoping to finish the usability report this summer.

LC: Finally, how was your experience working with ScienceDirect?

McDonough: It’s been successful both in terms of our interactions with Elsevier and the implementation itself. Our contacts at ScienceDirect have been great at providing us with information and keeping us appraised of new developments.