Deciding which parts are best for you
OpenAthens contains many options for how your end-users get authenticated. This flowchart may help you decide.
There are two place where it says to see the documentation - they are:
Use an OpenAthens local authentication connector
There are connectors for the following systems:
- ADFS (Microsoft Active Directory Federation Server, also Azure)
- CAS (Client Access Server)
- LDAP (including Active Directory)
- SAML (general SAML sources such as Google, Ping)
There is also an API connector for any systems not listed above
This is about reducing the number of places where your users need to enter their credentials. They may be the same set of credentials, but they would probably rather not have to enter them repeatedly during a session - e.g. log on to the network then use the same credentials to access a a VLE and again when an online journal refers them to OpenAthens.
A lot depends on your setup so your best bet is to discuss this with your account manager however a Windows network is a common enough scenario to use as an example:
The tale of 'May-Ditup University'
May-Didup University have:
- A Windows domain controller that authorises access to the network
- By extension they have Active Directory and can enable ADFS
- A Moodle VLE running several courses, connected to Active Directory to authenticate users
- A library catalogue of links to resources
- 24,000 end-users with OpenAthens accounts, 4,000 of which are distance learners
End users enter the same credentials to log onto the network and again to access the VLE. When they follow links to journals from the VLE or library catalogue they use their OpenAthens credentials (once).
Individual things that can simplify this for the users:
- Enabling a SAML login on the VLE would allow OpenAthens to be an access method. Users would not need to enter credentials again when they linked off to a resource
- No real change for the on site users as it is still two sets of credentials
- Remote users who only needed network credentials for VLE access now only need one set of credentials for the VLE or on-line resources in the librarycatalogue
- (This is especially useful if you have internal resources that can use SAML, but not otherwise connect to your directory)
- Enabling ADFS and using that as a local authentication source in OpenAthens would allow network credentials to be used when users link off to a resource
- Network access, VLE access and resource access now use the same credentials and there is no need for separate OpenAthens credentials.
- Users may still need to enter credentials in multiple places
- Link the domain login to ADFS. This is usually done using a tool called Kerberos, but other options are available depending on your setup and desktop clients
- Your on-network users will not see the ADFS login prompt if they are referred to it by anything
- Your off-network users will see the ADFS login
Any one of those would be an improvement for many thousands of end-users, especially number 2, but combining number 2 with either or both of the others would mean that:
- 1 + 2
- All users would only have to enter credentials once to access the VLE and on-line resources
- On-network users would still need to log on to the network separately
- 2 + 3
- On-network users did not have to enter their credentials again to access on-line resources
- All users would need to sign-in to the VLE and on-line resources separately
- 1 + 2 + 3
- On-network users did not have to enter their credentials again to access the VLE or on-line resources
- Remote users only have to enter credentials once to access the VLE and on-line resources