[wactclc-alma] ALMA login URLs and security certificate update

Thomas, Kirsti Kirsti.Thomas at seattlecolleges.edu
Thu Jun 8 11:32:14 PDT 2023 

Thanks for this Lily!

I had some vague memory that ADFS has something to do with local network accounts or something Microsoft related. I looked it up and Wikipedia says Active Directory Federations Services is "a software component developed by Microsoft, [that] can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries."

So I'm with Lily that any of your URLs with "adfs" in them are probably left over from the way you were authenticating when you first migrated to Alma.

We had to make an emergency switch to SAML authentication for Alma & Primo 2 weeks ago when our LDAP server failed.

Luckily, I'd already been working with my IT person on the Okta configuration & we'd had a call with Ex Libris Support a few days before.

One of the things I remember from the call is that my IT person had to do some kind of Okta configuration behind the scenes to make sure the "employeeID" field was being passed between Okta and Alma. I don't know the exact details.

During the support call, the Ex Libris staff person noticed we were using an Alma URL from migration:
na02.alma.exlibrisgroup.com/mng/login?institute=01STATEWA_SEATTLE&auth=local

The Ex Libris support person told us to use this instead:

Internal user accounts: sbctc-seattlecolleges.alma.exlibrisgroup.com
External user accounts: sbctc-seattlecolleges.alma.exlibrisgroup.com/SAML

To the best of my knowledge, all Alma-Primo domain names are managed/registered by Ex Libris, not us.

We all have sbctc in the domain names because we're all under the same SBCTC contract. The Orbis-Cascade Alliance libraries all have "alliance" in their domain names because they're all under the same contract.

That said...

Okta authentication for Alma requires:
              * A SAML Integration profile in Alma
              * appending /SAML at the end of the normal Alma URL

Okta authentication for Primo requires:
              * A SAML Integration profile in Alma (that's different from the SAML integration profile for Alma)
              * activating an Authentication Profile that has the same code as the Integration profile (There's no change to the Primo URL)

Details from my notes below:

Settings are in 2 places:

1) Alma config > General > External Systems > Integration profiles
This page has all the behind-the scenes configuration for authentication

Profile 1: SAML Authentication for Alma only
this has Okta configuration settings & security certificate info
Had to fill this out together with IT staff
Important settings:
User ID location = User ID is an Attribute element
User ID attribute name = employeeID
Profile 2: SAML Primo
this has Okta configuration settings & security certificate info
Had to fill this out together with IT staff
Important settings:
User ID location = User ID is an Attribute element
User ID attribute name = employeeID

[cid:image006.png at 01D999FC.DE1819B0]


2) Alma config > Discovery > Authentication > User authentication
This page controls what options appear when someone clicks the Sign In button in Primo
This page has nothing to do with Alma authentication

Alma Primo will look for an Integration profile in Alma config > General > External Systems > Integration profiles that has the same *code* as the Authentication Profile to determine which profile(s) to use when someone clicks Sign In in Primo.
[cid:image005.png at 01D999FC.8A2E51C0]


One last note-- Library staff on shared circulation desk work stations have reported that when they try to log out of Alma, Okta logs them right back in. We're having to completely close browser windows whenever there's a shift change. I've also recommended that staff only use Private/Incognito browser windows when logging into Alma for now.

The IT person who manages Okta says he should be able to configure something that will allow us to log out of Alma and not get logged back in automatically. Something to mention to your IT folks whenever you implement Okta authentication for Alma-Primo.


It will be ok!

Kirsti S. Thomas (Hear my first name<http://namedrop.io/kirstithomas>)
Library Technical Services Manager & Systems Librarian
Seattle Colleges
kirsti.thomas at seattlecolleges.edu




From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu> On Behalf Of Lily Kun
Sent: Tuesday, June 6, 2023 14:01
To: WACTCLC Alma Discussion <wactclc-alma at lists.ctc.edu>
Subject: Re: [wactclc-alma] ALMA login URLs and security certificate update

Thanks for that info, Abby! I'm going to ask Ex Libris, too, and get clarification on what certifications we use. :)

Laurie, here's some info that may help figure out your first question:

When Alma was first implemented, there were a few ways to set up the authentication: ADFS; LDAP; CAS; SAML; etc. I think maybe Pierce initially set up ADFS, which is why one of your URL starts with adfs. I remember Lesley mentioning that Pierce moved over to Okta sometime back? That's probably when the URL changed to sbctc.

We use Okta and have two logins, one for internal users and one for external users. External users can login using SPSCC's Clipper ID (same login as Canvas and library databases), giving users a single-sign-on experience; most library staff use this method. We only have a few internal users for circ stations and admin back-up.

  *   Internal users: https://sbctc-spsccctc.alma.exlibrisgroup.com/mng/login
  *   External users: https://sbctc-spsccctc.alma.exlibrisgroup.com/SAML

Hope this helps.

Be well,

Lily Kun
She/Her Pronouns
Systems and Electronic Resources Librarian
lkun at spscc.edu<mailto:lkun at spscc.edu> | 360-596-5436<tel:3605965436> | https://library.spscc.edu<https://library.spscc.edu/>

[cid:image001.jpg at 01D999F8.55A3FD50]<https://spscc.edu/>

From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu<mailto:wactclc-alma-bounces at lists.ctc.edu>> On Behalf Of Abby Koehler
Sent: Tuesday, June 06, 2023 1:15 PM
To: WACTCLC Alma Discussion <wactclc-alma at lists.ctc.edu<mailto:wactclc-alma at lists.ctc.edu>>
Subject: Re: [wactclc-alma] ALMA login URLs and security certificate update

Hi Laurie and all,
I asked Ex Libris about this today because I was spending so much time trying to figure it out on my own. Here's what they said -- hope it's helpful to you if you need to make a change!

You are right that you are using the Version 2025 self-signed, not the DigiCert, service provider certificate in both Alma SAML integration profiles (shib and AZURE). You are good as far as not needing an update there.

Your Azure IdP certificate expires on 03/02/2025, and your shib IdP certificate expires on 02/06/2034. Alma does supports the IdP certificate rollover. Both the old and new signing certificates can be stored in Alma at the same time. So you can replace an IdP certificate as the following without service interruption:

1. Get the new IdP certificate from your IT (usually IT would send a notification a few weeks before an IdP certificate expires)
2. Add the new certificate to your Alma SAML profile as a secondary signing certificate (in the "IDP Certificate 2" section).
4. Inform your IT to activate the new certificate.
5. Test. If all works well, you can remove the old certificate from the Alma SAML profile.

This is the only SAML IdP related certificate change in Alma, and you can consult further with your IT as well.

abby koehler
she/her/hers
Faculty Systems Librarian
Whatcom Community College
Book a meeting with me<https://outlook.office365.com/owa/calendar/abby1@whatcomccedu.onmicrosoft.com/bookings/>

From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu<mailto:wactclc-alma-bounces at lists.ctc.edu>> On Behalf Of Abby Koehler
Sent: Tuesday, June 6, 2023 9:49 AM
To: WACTCLC Alma Discussion <wactclc-alma at lists.ctc.edu<mailto:wactclc-alma at lists.ctc.edu>>
Subject: Re: [wactclc-alma] ALMA login URLs and security certificate update


CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.

Hi Laurie,
I've been trying to learn what the announcement means for our own setup, and I came across this language:

Alma supports the SAML 2.0 Web Browser SSO profile. This enables Alma to exchange authentication and authorization information, allowing a user to sign in or out of an external system and be automatically signed in or out of Alma, or vice versa.

Following Alma profile activation and third-party configuration, your institution's support staff changes the Alma login shortcut to the following URL (see Your Alma Domain Names<https://knowledge.exlibrisgroup.com/Alma/Product_Documentation/010Alma_Online_Help_(English)/010Getting_Started/050Alma_User_Interface_%E2%80%93_General_Information/030Logging_Into_and_Out_of_the_User_Interface#Your_Alma_Domain_Names>): https://<Alma<https://%3cAlma> domain>/SAML.

For a detailed overview of SAML-based SSO, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml.
>From SAML-Based Single Sign On<https://knowledge.exlibrisgroup.com/Alma/Product_Documentation/010Alma_Online_Help_(English)/090Integrations_with_External_Systems/060Authentication/020SAML-Based_Single_Sign-On_Sign-Off#Replacing_an_IdP_Signing_Certificate>

-----------

I am still a little fuzzy on the process. I think there's an Alma metadata file in the Integration profile that needs to be updated away from the DigitCert version if you're using it. We aren't, but I don't know if that's (going to be) a problem...?

I think I do know that if the IdP certificate at our institution changes, I have to upload it and it's metadata into Alma. I think.

abby koehler
she/her/hers
Faculty Systems Librarian
Whatcom Community College
Book a meeting with me<https://outlook.office365.com/owa/calendar/abby1@whatcomccedu.onmicrosoft.com/bookings/>

From: wactclc-alma <wactclc-alma-bounces at lists.ctc.edu<mailto:wactclc-alma-bounces at lists.ctc.edu>> On Behalf Of Laurie Shuster
Sent: Thursday, June 1, 2023 6:00 PM
To: wactclc-alma at lists.ctc.edu<mailto:wactclc-alma at lists.ctc.edu>
Subject: [wactclc-alma] ALMA login URLs and security certificate update


CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
Hi Group!  We have a couple of different URLs to log into Alma.  Some start with sbctc and others start with adfs and our Pierce URL.  For example:

https://sbctc-piercecollege.alma.exlibrisgroup.com/....

Vs

https://adfs.pierce.ctc.edu/adfs?...

Three questions:


  1.  We're trying to figure out why some route through SBCTC.  Our backup admin account goes through SBCTC - which makes total sense.  But... not sure about the others.  Does going through SBCTC have some kind of advantage? Which do you all use - SBCTC or local URL?
  2.  With the SAML update - We've alerted our IT to the changes.  Do we need to do anything about the SBCTC urls? Or does the State Board take care of that?
  3.  Is anyone aware of other things we might need to do about the certificate update? https://knowledge.exlibrisgroup.com/Alma/Release_Notes/2023/Alma_2023_Release_Notes?mon=202304BASE

Thank you!

Laurie

Laurie Shuster
Reference & Instruction Librarian
Pierce College
253-964-6305
lshuster at pierce.ctc.edu<mailto:lshuster at pierce.ctc.edu>
Pronouns: she/her

CAUTION: This email originated outside of the Seattle Colleges' email system. Do not click links or open attachments unless you recognize the sender and know the content is safe. Questions? Contact IT Services at x6333 (Central), x3630 (North), x5844 (South) or email ITHelp at seattlecolleges.edu<mailto:ITHelp at seattlecolleges.edu>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ctc.edu/pipermail/wactclc-alma_lists.ctc.edu/attachments/20230608/da1954df/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6993 bytes
Desc: image001.jpg
URL: <http://lists.ctc.edu/pipermail/wactclc-alma_lists.ctc.edu/attachments/20230608/da1954df/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 51999 bytes
Desc: image005.png
URL: <http://lists.ctc.edu/pipermail/wactclc-alma_lists.ctc.edu/attachments/20230608/da1954df/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 155168 bytes
Desc: image006.png
URL: <http://lists.ctc.edu/pipermail/wactclc-alma_lists.ctc.edu/attachments/20230608/da1954df/attachment-0001.png>

More information about the wactclc-alma mailing list