Skip to main content
Skip table of contents

About the managed proxy service

Not all online subscription content has a compatible login yet, so as a stopgap whilst the publishers update their technology we provide a managed proxy service. Your account manager will be happy to discuss this with you.

FAQ

How do I tell you about a resource that doesn't have a proper login?

If you have done everything on the How to set up access to your subscribed content page, then your Account manager is the person to speak to. You cannot create proxy resources yourself.

Why does resource X or Y no longer have a proxy option?

Sometimes it could be for security or compatibility reasons but usually it is because it has implemented a superior SAML option. This is good news for both you and your users and means there is no longer any need for it to be proxied.

How does a proxy work... and why doesn't my IT team want to run one?

OK, here's the thing about proxy servers. There are two types - forward and reverse. A forward proxy sits between your network and the outside world and makes sure the web pages you're looking at (i.e. connections you initiate) come back to your computer and not to Janice in Accounts. If that sounds like what a firewall does, you're right because firewalls include a forward proxy. A reverse proxy is the reverse of that and is used when the outside world is initiating the connection to something inside your network (e.g. servers). Both are relatively simple.

When you are providing remote access to websites though, you have to use both types at the same time... and also have something sitting between them to rewrite all the traffic. It's this middle bit that your IT team would prefer not to have to handle.

Animation showing the proxy flow. At the authentication stage, a researcher's details are passed by reverse proxy and rewritten. At the authorization stage, a forward proxy then passes the data to the content provider.

What we do is take authenticated users to the proxied content, handling all the various rewrites that are necessary to get the content to the user and let them navigate the proxied site. The site authorises the user because they are coming from an IP address that the site associates with you.

How do I set up links?

The redirector is the easiest method as it uses WAYFless links and automatically picks up any changes to the linking syntax. You can also use the syntax https://proxy.openathens.net/login?qurl={target} where {target} is the desired page in the resource.

Why can’t you proxy the resource I want?

Most websites aren't designed with proxying in mind. Due to the vast number of web technologies and the complexities of some implementations, it's not always possible to for us to proxy a resource. For the same reason, there are also occasions when we can't make every part of a website work with our proxy. In that case we may be able to help a content publisher implement a more modern authentication and authorisation flow using SAML or OIDC.

Why does my proxied resource keep breaking?

Websites grow organically, with new functionality being added more or less regularly depending on the publisher. As we don't have a relationship with the publisher in the proxy model, we don't know when changes will happen that might break our proxy configuration. However, once we are aware of an issue, we try to get the resource working again as soon as possible.

Are there other limits to the proxy functionality?

We can’t:

  • Perform any kind of authentication other than IP authentication, for which the proxy service is designed

  • Pass user-level attributes. The proxy works only with organisation-level authentication via IP

  • Proxy other authentication or authorisation methods. This is due to the difficulties and overheads of supporting them

  • Prevent a proxied resource from breaking. A resource can break if its website changes, at which point we will try to fix it as soon as possible. We can also help a content publisher implement SAML or OIDC to mitigate this and other issues

  • Support persistent connections such as WebSockets or Server-Sent Events (SSE). These connections are often used by chatbots

I'm a publisher and...

If one of our mutual customers needs to proxy your content to enable off-site access for their end users, they will include an IP address in their ranges that is used by our managed proxy service and if you've found your way here it is probably because you checked who owned that IP.

You can be assured that the IP address they supplied will be unique to them within our managed proxy service so long as they are our customer.

That said, your best route forward is to implement a login that is compatible with the many SAML federations around the world. This is the preferred solution of most medium and large organisations that purchase institutional licences. For a sample of these organisations, see: https://login.openathens.net/org-list.

Publishers do not have to use OpenAthens software to join our (or any) federation, but we do have some rather good options though - see: OpenAthens for Providers. Many publishers who have implemented this kind of login have been able to disallow proxy access.

If your service uses Cloudflare

The Cloudflare service has been observed to sometimes mis-identify the OpenAthens Proxy as a robot or malicious agent and block access.

To avoid this the Service Provider will need to update their Cloudflare configuration by adding the OpenAthens proxy domains to their Cloudflare allowed list.

proxy.openathens.net

eu1.proxy.openathens.net

us1.proxy.openathens.net

ap1.proxy.openathens.net

ap2.proxy.openathens.net

If this does not solve the issue, they may also need to add the customer’s unique OpenAthens Proxy IP address to the allowed list.

Useful links:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close