Integrating EZproxy with Campus Authentication

Part of the discussion around RA21 involves the movement away from IP-based authentication and towards SAML-based methods of authentication for access to electronic resources. In a nutshell, SAML (Security Assertion Markup Language) is a secure protocol for exchanging user information between trusted systems. SAML is the underpinning to a number of technologies with strong branding and name recognition in the library world, like Shibboleth and OpenAthens. With the introduction of RA21, an opportunity has emerged for libraries to transition the authentication mechanism used by EZproxy, a commonly deployed application used to provide IP-based access to subscription content from outside of the campus network.
 
If there’s a movement away from IP-based authentication, you might be wondering why you’d be motivated to switch to using a SAML-based authentication method for an IP-based application. Or perhaps, why you’d need an application like EZproxy at all. It’s useful to keep in mind that not all publisher platforms will be SAML-compliant in the near term. While large publishers are capable of shifting technologies quickly, smaller publishers will continue to provide IP authentication or credentialed access to their content for the foreseeable future.
 
When compared to the III patron API, using a SAML-based service is more secure, provides synchronized password reset when needed, and more fully integrates the library's electronic resources into the campus environment by standardizing access credentials across multiple campus platforms (email and learning management systems, for instance). Improvements to user experience, such as reducing the hurdles to resource access for online-only students who may never come to campus or providing an intuitive and familiar login prompt are just a few. By switching the authentication method used by EZproxy, you'll gain the efficiencies and security provided by a SAML-based authentication method while maintaining IP authentication used by EZproxy and the layer of anonymity that it affords to the library user with respect to the subscription vendor.
 
What if you could gain these efficiencies by integrating EZproxy with an existing campus-based solution? 
 
When I talk with our members about moving towards a SAML-based authentication solution to access the library's electronic resources, they are often surprised that the necessary technology may already be available, and preferred, by the campus IT department. For example, Google's G Suite has the ability to function as a SAML-based identify provider for single sign-on.[1] Configuring EZproxy to authenticate using your G Suite directory is one step towards establishing a single sign-on environment that is inclusive of the library’s electronic resources.  
 
Microsoft subscribers also have a few options available for integrating EZproxy with a SAML-based authentication solution. Azure Active Directory can be used as a SAML-based identity provider. Keep in mind that a premium subscription to Azure Active Directory is required to integrate a “non-gallery application” like EZProxy.[2] Or, if you're running an on-premises instance of active directory, ADFS (Active Directory Federation Services) can be used to establish a SAML-based single sign-on environment with EZproxy.[3]
 
If you’re interested, but aren’t sure how to get started, we’d be happy to give you guidance through the process. 
 
Notes
 
Ohio