[wactclc-alma] ALMA login URLs and security certificate update

Lily Kun lkun at spscc.edu
Tue Jun 6 14:01:08 PDT 2023 

Thanks for that info, Abby! I'm going to ask Ex Libris, too, and get clarification on what certifications we use. :)

Laurie, here's some info that may help figure out your first question:

When Alma was first implemented, there were a few ways to set up the authentication: ADFS; LDAP; CAS; SAML; etc. I think maybe Pierce initially set up ADFS, which is why one of your URL starts with adfs. I remember Lesley mentioning that Pierce moved over to Okta sometime back? That's probably when the URL changed to sbctc.

We use Okta and have two logins, one for internal users and one for external users. External users can login using SPSCC's Clipper ID (same login as Canvas and library databases), giving users a single-sign-on experience; most library staff use this method. We only have a few internal users for circ stations and admin back-up.

*         Internal users: https://sbctc-spsccctc.alma.exlibrisgroup.com/mng/login

*         External users: https://sbctc-spsccctc.alma.exlibrisgroup.com/SAML

Hope this helps.

Be well,

Lily Kun
She/Her Pronouns
Systems and Electronic Resources Librarian
lkun at spscc.edu<mailto:lkun at spscc.edu> | 360-596-5436<tel:3605965436> | https://library.spscc.edu<https://library.spscc.edu/>

[cid:image001.jpg at 01D56E08.09265B00]<https://spscc.edu/>

From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu> On Behalf Of Abby Koehler
Sent: Tuesday, June 06, 2023 1:15 PM
To: WACTCLC Alma Discussion <wactclc-alma at lists.ctc.edu>
Subject: Re: [wactclc-alma] ALMA login URLs and security certificate update

Hi Laurie and all,
I asked Ex Libris about this today because I was spending so much time trying to figure it out on my own. Here's what they said -- hope it's helpful to you if you need to make a change!

You are right that you are using the Version 2025 self-signed, not the DigiCert, service provider certificate in both Alma SAML integration profiles (shib and AZURE). You are good as far as not needing an update there.

Your Azure IdP certificate expires on 03/02/2025, and your shib IdP certificate expires on 02/06/2034. Alma does supports the IdP certificate rollover. Both the old and new signing certificates can be stored in Alma at the same time. So you can replace an IdP certificate as the following without service interruption:

1. Get the new IdP certificate from your IT (usually IT would send a notification a few weeks before an IdP certificate expires)
2. Add the new certificate to your Alma SAML profile as a secondary signing certificate (in the "IDP Certificate 2" section).
4. Inform your IT to activate the new certificate.
5. Test. If all works well, you can remove the old certificate from the Alma SAML profile.

This is the only SAML IdP related certificate change in Alma, and you can consult further with your IT as well.

abby koehler
she/her/hers
Faculty Systems Librarian
Whatcom Community College
Book a meeting with me<https://outlook.office365.com/owa/calendar/abby1@whatcomccedu.onmicrosoft.com/bookings/>

From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu<mailto:wactclc-alma-bounces at lists.ctc.edu>> On Behalf Of Abby Koehler
Sent: Tuesday, June 6, 2023 9:49 AM
To: WACTCLC Alma Discussion <wactclc-alma at lists.ctc.edu<mailto:wactclc-alma at lists.ctc.edu>>
Subject: Re: [wactclc-alma] ALMA login URLs and security certificate update


CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.


Hi Laurie,
I've been trying to learn what the announcement means for our own setup, and I came across this language:

Alma supports the SAML 2.0 Web Browser SSO profile. This enables Alma to exchange authentication and authorization information, allowing a user to sign in or out of an external system and be automatically signed in or out of Alma, or vice versa.

Following Alma profile activation and third-party configuration, your institution's support staff changes the Alma login shortcut to the following URL (see Your Alma Domain Names<https://knowledge.exlibrisgroup.com/Alma/Product_Documentation/010Alma_Online_Help_(English)/010Getting_Started/050Alma_User_Interface_%E2%80%93_General_Information/030Logging_Into_and_Out_of_the_User_Interface#Your_Alma_Domain_Names>): https://<Alma<https://%3cAlma> domain>/SAML.

For a detailed overview of SAML-based SSO, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml.
>From SAML-Based Single Sign On<https://knowledge.exlibrisgroup.com/Alma/Product_Documentation/010Alma_Online_Help_(English)/090Integrations_with_External_Systems/060Authentication/020SAML-Based_Single_Sign-On_Sign-Off#Replacing_an_IdP_Signing_Certificate>

-----------

I am still a little fuzzy on the process. I think there's an Alma metadata file in the Integration profile that needs to be updated away from the DigitCert version if you're using it. We aren't, but I don't know if that's (going to be) a problem...?

I think I do know that if the IdP certificate at our institution changes, I have to upload it and it's metadata into Alma. I think.

abby koehler
she/her/hers
Faculty Systems Librarian
Whatcom Community College
Book a meeting with me<https://outlook.office365.com/owa/calendar/abby1@whatcomccedu.onmicrosoft.com/bookings/>

From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu<mailto:wactclc-alma-bounces at lists.ctc.edu>> On Behalf Of Laurie Shuster
Sent: Thursday, June 1, 2023 6:00 PM
To: wactclc-alma at lists.ctc.edu<mailto:wactclc-alma at lists.ctc.edu>
Subject: [wactclc-alma] ALMA login URLs and security certificate update


CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.

Hi Group!  We have a couple of different URLs to log into Alma.  Some start with sbctc and others start with adfs and our Pierce URL.  For example:

https://sbctc-piercecollege.alma.exlibrisgroup.com/....

Vs

https://adfs.pierce.ctc.edu/adfs?...

Three questions:

1)      We're trying to figure out why some route through SBCTC.  Our backup admin account goes through SBCTC - which makes total sense.  But... not sure about the others.  Does going through SBCTC have some kind of advantage? Which do you all use - SBCTC or local URL?
2)      With the SAML update - We've alerted our IT to the changes.  Do we need to do anything about the SBCTC urls? Or does the State Board take care of that?
3)      Is anyone aware of other things we might need to do about the certificate update? https://knowledge.exlibrisgroup.com/Alma/Release_Notes/2023/Alma_2023_Release_Notes?mon=202304BASE

Thank you!

Laurie

Laurie Shuster
Reference & Instruction Librarian
Pierce College
253-964-6305
lshuster at pierce.ctc.edu<mailto:lshuster at pierce.ctc.edu>
Pronouns: she/her

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ctc.edu/pipermail/wactclc-alma_lists.ctc.edu/attachments/20230606/4b32f57a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6993 bytes
Desc: image001.jpg
URL: <http://lists.ctc.edu/pipermail/wactclc-alma_lists.ctc.edu/attachments/20230606/4b32f57a/attachment.jpg>

More information about the wactclc-alma mailing list