Security Audit Inspires Iowa State University Library to Discontinue Proxy Service and implement OpenAthens for single sign on authentication
Iowa State University, classified as a Carnegie Foundation Doctoral and Research University, enrolls approximately 32,000 students in a variety of academic programs including agriculture and life sciences, veterinary medicine, engineering, business, liberal arts, and design.
To support the research needs of Iowa State University students and faculty, the University Library maintains approximately 2.5 million physical volumes and 770 electronic resource collections. Recently, a security audit by the University’s IT department prompted the library to move from a proxy-based authentication method to OpenAthens, a SAML-based single sign on authentication and identity management system that offers seamless access, a personalized research experience, and greater security.
The challenges
Assessment and Planning Assistant Director Greg Davis and his team collaborated with the University’s IT department to conduct a security audit of all library applications. At the same time, the IT department had begun the process of phasing out local servers and applications and migrating to cloud-based services.
When IT learned that the library had experienced security issues that resulted in a temporary loss of guest users’ access to some publisher resources, both teams began looking for a more secure, single sign on authentication solution.
“OpenAthens appeared on our radar as a solution that would provide access in a more secure fashion"
Although the library’s proxy-based solution offered a cloud-based option, Davis said, it would not provide the level of security that OpenAthens delivers.
The solutions
In March 2020, the Iowa State campus shut down due to the COVID-19 coronavirus pandemic. In May, at the height of the quarantine period, 12,000 accounts were automatically set up when users logged in to the University’s Okta system.
Davis said the implementation took a while, but it went smoothly.
“We had a really good support experience with the OpenAthens project team at EBSCO. They were always responsive to our requests.”
By switching to OpenAthens, the library has reduced the risk of security breaches and satisfied the IT department’s request that all library users be required to log in, even when they are on campus. The library now utilizes OpenAthens managed proxy service for publishers who do not offer federated access and avoid the need for the locally hosted proxy server.
The library is now able to utilize OpenAthens as an IdP for guest authentication. ISU’s prior system required the participation of multiple departments to update a local directory (LDAP) server in order to create guest accounts. Now the library can create accounts directly in OpenAthens, allowing guests to log in and access e-resources in minutes. Besides saving time for the patron, library, and IT, this workflow allows to conform to data protection and policy requirements.
Benefits and results
Using OpenAthens’ managed proxy and IdP functionality has enabled Iowa State to reduce efforts and costs associated with managing local servers.
In addition, OpenAthens is providing library leaders with easier access to usage data. The library still relies on COUNTER data as the gold standard for measuring e-resource use, but Davis believes the OpenAthens data will help to fill in the gaps.
The library ran reports comparing May 2020 e-resource usage to May 2019, and the numbers were consistent.
“The switch to OpenAthens for e-resource access, even though it occurred during the COVID-19 shutdown, didn’t cause an increase or decrease in people using our library system. Users didn’t recognize that they were logging in through a different system.”
Watch their case study
Watch Dr. Greg Davis discuss Iowa State’s experience with legacy IP authentication and moving to OpenAthens
A Spotlight on Remote Authentication
Watch the webinarWant to talk to another user? We can help with that.
Get in touch, we will use your contact details to respond to your request.
All required fields are marked with '*'