Skip to page content

Worldwide (English) Change

Shibboleth

OCLC plans to add Shibboleth to the suite of authentication mechanisms on the OCLC FirstSearch service that now includes manual login via authorization/password, IP address recognition, Web script, IP Referrer, Athens and NCIP. This enhancement is planned for June 29. There will be no additional cost to OCLC libraries for using Shibboleth. (Federation memberships are available for a fee.)

Shibboleth utilizes the existing campus identity and access management infrastructures to authenticate individuals for access to restricted digital content and secure online services. The user may be on campus or on a Blackberry at the mall. The resource may be held locally or halfway around the world. In any case, users' personal data stays within the domain of their home institution.

Shibboleth is built on a fabric of trust relationships codified in federations made of institutions and resource holders with parallel needs and interests. In Queue is the test federation for current Shibboleth implementations. In Common is the information industry's federation for live production use.

OCLC has been part of a large Shibboleth project, working with libraries and other services providers for the last few years in pilots and beta testing. The Shibboleth project was supported with funding from several large libraries, the Internet/2 and the NSF Middleware Initiative.

OCLC's library partners in the testing of Shibboleth have been:

  • Brown University
  • Carnegie Mellon University
  • Columbia University
  • Georgetown University
  • Georgia State University
  • Penn State University
  • University of California at San Diego
  • University of Washington
  • University of Texas at Arlington

Successful workflow:

  1. A user attempts to access FirstSearch and is prompted to select his or her home library via the Where Are You From (WAYF) server.
  2. FirstSearch contacts the user's home institution. (The home institution and FirstSearch are both part of the In Common federation.)
  3. The home institution contacts the user and prompts for personal data.
  4. The user provides personal data to the home institution and the home institution determines user privileges. (The home institution could be running LDAP or any other authentication mechanism. Personal data is defined by the home institution. The user retains complete control over personal data and could elect to share some/all of it externally if they want.)
  5. The home institution contacts FirstSearch with user privileges.
  6. FirstSearch serves up the proper set of databases to the user.

Please direct questions about OCLC's implementation of Shibboleth to shibboleth@oclc.org.

For information on Shibboleth, please go to http://shibboleth.internet2.edu/.