III Advanced Authentication

Conditions and Actions

III authentication is controlled by a series of conditions and actions. Conditions are tests that must be true if the current line is to be considered further. The III specific conditions are IfExpired, IfRefused, IfTest, and IfType. Actions are things that EZproxy should do. The III specific actions are Date, Host, Ignore, and Password.

In addition to the III specific conditions and actions, there are a large number of common conditions and actions available, including Deny, Group, and Stop. See Common Conditions and Actions for more information.

III specific conditions

These are the III specific conditions available and what they test:

True if the user's account expiration date has passed.
True if the III server refused patron API connection, typically due to the system being down.
IfTest var value[,value...]
Tests an arbitrary patron variable to see if it is among the values specified. var is the short name of the variable such as p53 for the home library; the values may contain the * wildcard to match 0 or more characters.
IfType value[,value...]
Tests the patron type [p47] field against the specified values and returns true if the patron type matches one of these values.

III specific actions

These are the III specific actions available:

Indicates the format of the date when evaluating expiration date. Parameters are MDY (default), DMY and YMD to indicate the sequence in which the Month, Day and Year will appear.
When used as an action with the Expired condition, indicates that expired cards should be considered valid; when used as an action with the Refused predicate, indicates that the system should treat the remote user as though their information was valid.
Indicates the name of the system where the III Patron API is running. If followed by a simple hostname, EZproxy connects to the specified hostname using the http protocol to port 4500. The hostname may be prefixed with https:// to indicate that an https connection should be used from EZproxy to the III Patron API when making the request. The hostname may be followed by a colon and a port number to indicate that a port other than 4500 should be used when making the request.
If used, this action must appear before the Host action. This action may appear as "password last" to tell EZproxy to check the login form field "pass" against the last name, "password pin" to check the login form field pass against the user's pin number, "password both" to tell EZproxy to check the login form field "pass" against the last name and to check the login form field "pin" against the user's pin (you must add the field "pin" to login.htm and loginbu.htm if using this option).
Allows matching based on any part of the III patron name field matching any part of the EZproxy password field. For example, if pn is
Smith-Jones Jr, Patricia "Pat" Robin Q, then any of the following would match:

Pat Smith
Smith Patricia
Robin Jones
Pattie Smith

Note that Pattie Smith matches, even though Pattie is not present, since Smith is present and does match.

When performing this test, Jr and Sr are ignored. Unless pn is made up of only single characters, single characters are also ignored. As a result, these by themselves would not match:


To use this form of name match, add the directive PartialNameMatch before your Host line, such as:

Host iii.yourlib.org

Vary EZproxy groups based on III types

This configuration demonstrates how a single condition can accept multiple actions such as the Group and Stop directives, both of which only occur if the condition is true.

Not IfUser -RE [0-9]+; Stop
Host iii.mylib.org
IfRefused; Deny irefused.htm
IfExpired; Deny iexpired.htm
IfUnauthenticated; Stop
IfType 1,2; Group Restricted; Stop
IfType 3,4,5; Group Default+Restricted; Stop
Deny itype.htm

See Groups for more information on EZproxy groups.