NCIP access to FirstSearch: getting started

General information

NCIP authentication overview

Library patrons sometimes request access to library services from remote locations. Libraries need to be able to authenticate and authorize access to their services for these remotely located patrons. Proxy servers and similar mechanisms allow libraries to perform these functions, but not without intensive resource commitments (time spent on setup and maintenance, money invested in equipment, etc.). Circulation system patron authentication for the FirstSearch service, through the use of the NISO Circulation Interchange Protocol (NCIP), allows library patrons to gain appropriate access to the FirstSearch service from any location. NCIP is an approved NISO standard that defines messaging between circulation systems, ILL systems, or broker applications. NCIP has many applications, only one of which is authenticating patrons for access to an online service.

The FirstSearch service currently allows manual logon, IP address recognition, scripted access, IP referer, and Athens authentication, none of which provides a complete access solution for all remote users. The NCIP-based patron authentication feature, while it does not replace these existing authentication methods, complements and supplement them.

Local library systems store circulation and patron authentication information that FirstSearch can use for remote patron authentication. To be authenticated for FirstSearch access, a patron must enter information required by the library, which, through its authorization(s), controls who has access to FirstSearch. The end goal is to allow patrons to get into the appropriate FirstSearch account according to their library affiliation(s).

Trust relationships

OCLC and libraries use the NISO Circulation Interchange Protocol to exchange information needed to authenticate a patron for access to the FirstSearch service. Information is requested from a patron and passed securely over https to a library's local system (this means that the local system must support https protocol). The local system then responds and, where possible, sends back more information about the patron. The information passed depends on the purpose of the transaction. Limited information is required to authenticate a patron for individual access to FirstSearch.

Libraries use the NCIP Authentication screen in their FirstSearch administrative module to control the local systems that are configured for NCIP. A library most likely sets up NCIP for its own local system, but it might also set up NCIP for local systems that are geographically close or in its own group. The library retains control of where its patrons' data is exchanged; therefore, OCLC assumes a trust relationship with any local system that is configured for NCIP.

A trust relationship between OCLC and any local system configured for NCIP means that both parties, while not necessarily agreeing on how to handle patron data, are satisfied with how the other is behaving with respect to that patron data. OCLC acts as a broker in this exchange, so the parties involved are:

  • The home library of the patron in question
  • The local system with which the patron is interacting at any given time

While OCLC cannot control what a local system does with patron data once it is received, OCLC assumes that the library that configured access to that local system is aware of the system's policies and is satisfied with how patron data is handled and safeguarded. OCLC also safeguards user data, and does not retain this data any longer than it takes to complete the requested transaction.

NCIP authentication tasks

Identify and test the local system host and port

An administrator has the ability to identify one local system per FirstSearch authorization for use in authenticating patron access to the circulation system.

Complete the following steps to perform this task.

  Action Result or Note
1

In the Local System Host and Port field, enter a local system host and port string that identifies the local system you want to define for authenticating patron access.

Example:

https://sp03e15.prod.oclc.org:4103

OCLC uses only https protocol to talk to your local system host, so your local system must support https.
2 Click Save Changes. The system displays NCIP screen changes saved under the screen title.
3 Click Test. If the test is successful, the system displays a FirstSearch login screen that shows local prompts for NCIP access.

If the test is not successful, the system displays an error message similar to the following: NCIP messaging problem. Please contact your library's system administrator for assistance.



Control requirements for authenticating access to FirstSearch

An administrator has the ability to control whether or not a patron logging in to FirstSearch must be log on with both a known IP address and approved NCIP access.

Note: If IP address recognition is not already set up for your authorization, you'll receive an error message when you try to save changes.

Complete the following steps to perform this task.

  Action Result or Note
1 If you want to require a patron logging in to FirstSearch to have to log in from a known IP address and have approved NCIP access, check the On box.



If you do not want to require a patron logging in to FirstSearch to have to log in from a known IP address and have approved NCIP access, do not check the On box.
The default state of the On box is not checked.
2 If you checked the On box, click Save Changes. The system displays NCIP screen changes saved under the screen title.


Add an addendum to the error message displayed for unsuccessful logins

An administrator has the ability to add a custom-text addendum to the system-generated error message reporting an unsuccessful NCIP login attempt.

Complete the following steps to perform this task.

  Action Result
1 In the Error Message Addendum text entry box, type custom text to be appended to the system error message reporting an unsuccessful NCIP login attempt. Include specific contact information such as the name and phone number of the person to contact.



Example:

Call I. Fixitall at 555-1234.
The maximum allowable number of characters (including spaces) is 255.
2 Click Save Changes. The system displays NCIP screen changes saved under the screen title.


Construct URLs

IP address recognition can be used to trigger NCIP authentication. If you have existing IP address recognition URLs, you can reconfigure them with NCIP to allow access using IP address recognition and/or NCIP authentication.

NCIP authentication only

The following sample URLs allow access to the FirstSearch service using only NCIP authentication:

<http://host:port/FSNCIP?ncipautho=xxx>


<http://host:port/FSNCIP?autho=xxx>

Note: The FSNCIP parameter signifies only NCIP will be used. An authorization is required in the URL. These samples assume authorization XXX is configured with NCIP details in the administrative module.

IP and/or NCIP, same authorizations

These sample URLs allow access to the FirstSearch service using IP recognition and/or NCIP authentication:

<http://host:port/FSIP?autho=xxx>


<http://host:port/FSIP>


<http://host:port/FSIP?ncipautho=xxx>

The ncipautho parameter is used when the IPauthorization and the NCIP authorization are different (this allows you to create a single URL for access to the FirstSearch service that can be used for both IP and for remote users).

The autho= parameter denotes a secondary authorization for IP purposes. If an authoriztion is noted, it will be used to check whether NCIP authentication should be attempted. If no authorization is noted, the primary authorization associated with the IP address will be checked to see if NCIP authentication should be attempted.

In the administrative module, for a given authorization, you can indicate whether both IP and NCIP must be successful for access to the service. In this case, the above URLs can all be used as long as the IP authorization and the NCIP authorization are the same (regardless of whether they are noted in the URL).

IP and/or NCIP, different authorizations

The following sample URLs can be used when the authoriztion for IP and the authorization for NCIP are different:

<http://host:port/FSIP?ipautho=xxx&ncipautho=yyy>

<http://host:port/FSIP?ncipautho=xxx>

This allows a single URL for FirstSearch access that attempts NCIP authentication only in the event that IP address recognition fails.All IP parameters, such as screen name, database, and others will also work with NCIP.

Terms

toAgencyId

The term Agency refers to an institution, or to an agent operating on its behalf. Agencies are represented in NCIP messages by the parameters displayed in the toAgencyId and fromAgencyId fields.

The toAgencyId field is automatically assigned by OCLC to indicate the target institution ( scheme) and its FirstSearch authorization ( value).

Libraries should check with their local system vendor because they may need to enter the toAgencyId somewhere in their local system in order for NCIP messaging to be successful.

fromAgencyId

The term Agency refers to an institution, or to an agent operating on its behalf. Agencies are represented in NCIP messages by the parameters displayed in the toAgencyId and fromAgencyId fields.

The fromAgencyId field is automatically assigned by OCLC to indicate the specific context in which OCLC is sending the message.

Libraries should check with their local system vendor because they may need to enter the fromAgencyId somewhere in their local system in order for NCIP messaging to be successful.