Case Study: Devolved authentication at the University of Sussex

The following text is taken from the article in the May 2004 issue of the CILIP Journal Update.

By weaving two access control systems together, the University of Sussex achieved a single log-in to all networked resources for the user. Ben Wynne and Carol Shergold explain.

University libraries in the UK have long sought to provide their users with straightforward but secure access to their networked electronic information resources from anywhere. Achieving this has often appeared, however, as fruitless and frustrating as searching for the Holy Grail.

This article describes a project at the University of Sussex to give its staff and students such access using a single log-in. All that is needed now to access the Electronic Library is a university network username and password and these have to be entered once only during a web browser session (so-called 'single sign-on').

When accessing an electronic publication or database, each user must be identified (authentication) and then the resources that the user is entitled to access must be established ('authorisation'). The authentication and authorisation processes must comply with the licences for each electronic information resource. These licences define, among other things, who is an 'authorised user'.

Local context

In common with most university libraries, the University of Sussex Library offers its users access to a wide range of electronic publications and databases hosted by a multitude of different publishers' servers. Access to these resources is paid for, only available to members of the university and, therefore, must be controlled. Controlling access from machines on a university network is usually straightforward, but off-campus access to those same resources often requires a plethora of different usernames and passwords or, at worst, is not available at all. Complex (or non-existent) arrangements for off-campus access greatly limit the use and value for money of expensive electronic information resources.

Until September 2003 the university used one, or both, of two authentication methods for each of its networked electronic information resources: authentication on the basis of the Internet Protocol (IP) address of the machine being used; or authentication using a personal Athens username and password.

Resources that used IP-address authentication alone could be used only from machines on the campus network. Athens resources could, however, be used off campus. This provoked heavy demand for Athens usernames and passwords. Creating Athens accounts was very time-consuming as they were entirely separate from university network accounts. Although many staff and students had heard of the Athens authentication system through library publicity, they found it very confusing (what, after all, does the Greek capital have to do with accessing an electronic journal off campus?) and were constantly forgetting their usernames and passwords.

National context

The challenges posed by user authentication and authorisation have been the subject of much research and technical development in recent years. The Joint Information Systems Committee (Jisc) of the UK further and higher education funding councils has funded, and continues to fund, a number of projects in this area. One such project, Angel, included a study of currently available authentication and authorisation services.

Achieving 'single sign-on' in the UK has been further complicated, in some respects, by the extensive use of the Athens access management system. While Athens has been very successful it has also, until very recently, been impossible to integrate within institutional access management systems.

The University of Sussex's Electronic Library authentication project had a number of objectives:

• to minimise the number of usernames/passwords needed to access Electronic Library resources ' whether on or off campus;
• to minimise the number of times a username and password must be entered during a web browser session;
• to provide access to Electronic Library resources both on and off campus via the university portal (University of Sussex Direct) and via the library's publicly accessible web pages;
• to ensure that only current employees and students of the university could access its Electronic Library;
• to monitor usage statistics for Electronic Library resources based on users' status and academic department.

The technical solution used a proxy and a relatively new Athens service called Athens Devolved Authentication (Athens DA).

The core of the project lay in weaving these two access control systems together to achieve a single log-in to all networked resources from the user's point of view.

Many libraries use a so-called 'proxy' to enable secure off-campus access to IP-address authenticated resources. Access is routed via a machine on the home institution's network (the proxy). Such access appears to the publisher or data provider's server to originate from a machine with an authorised IP-address and access is, therefore, provided.

However, most proxy software requires various settings to be altered in the user's web browser. We were very keen to avoid using software of this kind as it results in many queries and access problems.

EZ Proxy provided a solution. This software is cheap, robust, used by many libraries (particularly in the US and increasingly in the UK) and, very importantly, does not require the user to adjust any settings in the web browser.

Athens DA was made generally available by EduServ, providers of the Athens access management system, in the summer of 2003.⁶ Athens DA enables Athens access requests to be authenticated and authorised against the subscribing institution's own user records. Effectively, this means that users can use a local network username and password to access the Athens authenticated resources to which their institution subscribes.

To use Athens DA, the user must first log in to a web-based institutional service. We wanted to use the university portal (University of Sussex Direct) and also allow users to log in from the library's homepage.⁷

Weaving it all together

EZ Proxy and Athens DA were both tried and tested solutions but we needed to get them to work together.

The issues the project team needed to address included:

• How could we distinguish between network users with and without Electronic Library access rights?
  
  

  With Athens DA and EZ Proxy we could authenticate our users against our directory of network user accounts. A few years ago, the university implemented an LDAP (Lightweight Directory Access Protocol) service. LDAP provides a set of protocols for accessing information directories. These directories are optimised for speedy read access, and can be used to store a wide variety of data including an encrypted version of the user's password. A wide range of processes that require user authentication can use this information. Both Athens DA and EZ Proxy support authentication using LDAP.
  
  However, our LDAP directory was insufficient on its own. Some of our network users are not entitled to access Electronic Library resources because they are neither university staff nor students (so not covered by our licences with publishers and information providers). We had to establish not only that the user had a network account (authenticate) but also that the user was entitled to access the Electronic Library (authorise).
  
  Fortunately, the university implemented an account management system a number of years ago that manages the association between username records in the directory of network accounts and information on the university's administration database. This meant that an additional check against the administration database could be included in order to establish the status of the user.

• How could we weave EZ Proxy and Athens DA together?
  
  

  By logging into the Electronic Library from the library homepage, or by logging into University of Sussex Direct and then navigating to the library area, the user invokes the Electronic Library authentication routines.
  
  If the user has the necessary access rights, a series of cookies (small data files) is set in the browser. These cookies contain data that is used by Athens and EZ Proxy to provide the user with seamless access to all resources for the duration of the web browser session.
  
  After a successful log-in, a local 'Electronic Library' cookie is stored in the user's browser. The cookie proves that the user has successfully authenticated to use the Electronic Library. This means that the user is not challenged again during that browser session if another Electronic Library page is requested. A cookie is also used by EZ Proxy to check whether a user has been authenticated and authorised to access Electronic Library resources. Athens DA also creates a number of cookies for its purposes. (The script required for Athens DA authentication is provided by Athens and can be adapted for local use.)

The following steps take place when a user logs into the Electronic Library from the library homepage (illustrated in the diagram, below, left).

1 User clicks on link to Electronic Library on the library homepage.

2 Script checks for presence of local cookie.

3 (If local cookie not present) redirects to local secure page and requests username and password from user. Authenticates user via University LDAP server.

4 If user is authenticated, checks user is authorised to access Electronic Library resources via call to university administration database.

5 Script writes local cookie based on user's eligibility. If user is eligible then script also invokes the Athens DA script.

6 Athens DA script handles the Athens authentication.

7 Athens cookies are written to the browser.

8 The browser is redirected back to the Electronic Library homepage.

9(a) User clicks on link for an IP-authenticated resource. EZ Proxy checks local cookie.

9(b) User clicks on link for an Athens-authenticated resource. Athens cookies checked.

When the user accesses the Electronic Library via University of Sussex Direct, the sequence is slightly different.

Implementation

The new Electronic Library access arrangements were introduced in September 2003 and have proved technically robust.

Initial queries related largely to users with faulty university accounts. Inevitably, some queries also arose from users with network accounts but without Electronic Library access entitlements.

Queries about Athens accounts and off-campus access are now largely a thing of the past. The simplicity of the new arrangements is largely taken for granted and that, at least in part, is a measure of their success.

One Athens-authenticated resource to which we subscribe remains outside the new access arrangements as it does not support use of Athens DA. We continue to provide our users with Athens accounts to use this resource. Users create their own personal Athens account by using an Athens self-registration account which is only available to university members and can only be used from machines on campus.

A few important issues remain unresolved. We need to review those with Electronic Library access rights and those without. This is not a technical issue but relates to licences for electronic resources and their different treatment of honorary and visiting academic and research staff, for example.

More work is required to obtain comprehensive usage statistics for each of our electronic information resources in the format we need for budgetary and management information purposes.

At the moment, all university employees and students are entitled to access all electronic information resources under the terms of our licences. However, if in the future we need to control access to particular resources on a faculty or departmental basis, for example, the access management controls would need to be adapted, as access is not currently authorised on a per-resource basis.

The new access management arrangements have undoubtedly simplified Electronic Library access for our users. We cannot claim to have found the elusive Holy Grail of electronic library authentication and authorisation. However, we hope to obtain a few years' use from these arrangements before the continuing research and development efforts of Jisc and others lead to more sophisticated authentication and authorisation mechanisms for the UK academic community.

References

1 Each machine on the internet has an Internet Protocol (IP) address. When an institution subscribes to an electronic information resource which uses IP-address authentication, it is necessary to inform the information provider of all the institutional IP addresses used. Access from machines with those IP addresses is then permitted. Institutional IP addresses are allocated within a particular range or ranges of number sequences.

2 Athens caters for user authentication and authorisation (i.e. different users can be given different access entitlements). For information about Athens, visit www.athensams.net

3 For further information about Jisc's Authentication, Authorisation and Accounting (AAA) Programme, visit http://www.jisc.ac.uk/index.cfm?name=programme_aaa

4 Nicole Harris. MLEs for Lifelong Learning Programme: Authentication Study. Angel Project (London School of Economics and Political Science), 2003. Available from: http://www.angel.ac.uk/accessmanagement/jisc_as/index.htm
5 Full information about EZ Proxy is available from http://www.usefulutilities.com

6 Full technical information about Athens DA for the university's administration is available from the AthensDA section on the Eduserv Athens website.

Athens DA was developed in collaboration with the University of Ulster. Information about the University of Ulster's use of Athens DA is available from http://www.ulster.ac.uk/library/4i/index.html

7 An adaptation of Athens DA which enables the user to log into an Athens-authenticated resource directly using a local network username and password is currently being developed.

Ben Wynne (b.b.l.wynne@sussex.ac.uk) is Library e-Strategy Leader and Carol Shergold, Senior Database Developer, at the University of Sussex.

Updated: 16 November 2004