FAQ content

What is LibAuth?

In this article

LibAuth allows you to securely integrate your institution's authentication system with LibApps. LibAuth is a standard part of Springshare's tools i.e. it's not a separate product you need to purchase - if you license LibCal, LibAnswers, LibGuides etc. - you have LibAuth, too! This not only provides library staff with an additional option for logging into LibApps, but it also allows you to require patron authentication in your Springy tools.

To use LibAuth, you can create one or more configurations that connect to your institution's authentication platform(s) using one of the following protocols:

  • SAML (including Shibboleth, ADFS, Okta, and OpenAthens), with quick-setup options for InCommon and UK Federation members
  • CAS
  • LDAP
  • OAuth 2
  • SIP2
  • SirsiDynix Symphony
  • Innovative Polaris
  • Your own self-hosted configuration (as long as it can return a text or JSON response)

Several Springy apps support using LibAuth for patron or staff authentication, including:

  • LibAnswers: require patrons to authenticate before submitting questions to a queue's question form, before starting a chat, and/or to restrict access to your site's public pages (for the entire site or a specific FAQ group).
  • LibCal: require patrons to authenticate before registering for calendar events, scheduling appointments, and/or booking your spaces & equipment.
  • LibGuides CMS: restrict access to a guide, group, or your entire site to authenticated users only.
  • LibGuides E-Reserves: require patrons to authenticate before viewing content for a specific course, restrict access to your entire e-reserves system to authenticated users only.
  • LibApps: allow users to log into LibApps using your institution's authentication system. This will give users a choice to use your SSO or their existing LibApps username and password.
  • LibWizard Full: restrict access to a form, survey, quiz, or tutorial to authenticated users only. You can also choose to automatically populate Name and Email fields with a user's First Name, Last Name, and Email attributes, saving the user time when requesting their contact information.

When you want to use LibAuth with one of the above apps, you'll select the configuration that you want to use. Users will then be prompted to authenticate using that configuration's protocol: if they authenticate successfully, they'll be able to proceed; otherwise, their access will be denied.

Certain configuration types, including SAML, CAS, and OAuth 2, support the use of group permissions. These are optional rules that certain Springy apps can use to restrict access to specific users or groups of users.

Your mileage may vary: we understand that everyone's authentication system may be set up differently than what's considered standard. Because we can't anticipate all of the possible setup variations, your mileage may vary from what's covered in these guides. Please work closely with your IT staff and don't hesitate to contact Springy Support if you need any help!

Getting started

This springboard is intended for LibApps Admin users who are interested in setting up LibAuth for the first time or managing their existing LibAuth configurations. You'll learn more about adding and configuring each supported authentication system, as well as how to use your LibAuth configurations throughout LibApps.

What is LibApps?

LibApps is the Springshare platform - the central hub that connects you to all other applications: LibGuides, LibAnswers, LibCal, LibInsight, LibStaffer, LibWizard, and LibCRM. You do not buy or license LibApps - you get it as a container when you license any individual Springshare tool(s) - LibGuides, LibCal, LibAnswers, etc.

Where is the LibApps dashboard?

The LibApps dashboard is the hub of all of your Springy apps. From there, you can:

  1. Access quick links to each of your apps: the My LibApps box lets you see which apps your account has access to, with links to both the admin and public interfaces for each.
  2. See a list of your LibApps admins: these are the people who can manage things like accounts, LibAuth, domain names & certificates, and the LTI Tool.
  3. Update your LibApps user account info: this includes things like your name, email address, and password.
  4. Update your profile information: this includes things like your profile photo, public contact info, widgets, and other info contained in your LibGuides profile box and page.
  5. Manage your Image Manager libraries: you can add, manage, and remove images from your personal and (if you're an admin) Shared Image manager libraries.
  6. LibApps Admin setting: if you are a LibApps Admin, you will see the Admin dropdown where you can manage things like accounts, LibAuthdomain names & certificates, and the LTI Tool

When you're signed into the admin interface of any Springy app (such as LibCal or LibGuides), the blue Spring To button in the orange navigation bar will let you know which app you're currently using. For example, if you're signed into LibGuides, the button will read LibGuides. When you click this button, you can quickly switch between any app you have access to. You can also use it to access your LibApps dashboard -- here's how:

  1. Click on the blue Spring To button.
  2. Select LibApps from the dropdown menu.

Navigating to LibApps using the Spring To menu

What is a LibApps admin?

If you're a LibApps admin for your institution, you can access the following options from the Admin menu:

  • Manage your LibApps customer record: this includes info such as your institution name and time zone. It's also where you can find your Customer ID number if you ever need it.
  • Manage your domain names and certificates: this includes creating and editing custom domain names, as well as enabling HTTPS support for your Springy apps.
  • Manage all LibApps user accounts: when you add a new account to another app, such as LibGuides, a LibApps user account will be created for that user. All users who can access one or more of your Springy apps will be listed here. As an admin, you have the ability to modify any user's name, email address, and password. You can also elevate other users to be LibApps admins, as well (permissions for each app, such as LibGuides, is managed within those app's settings).
  • Manage your LibApps patron accounts: you can import and manage all patron user accounts (which allow patrons to do things like comment on blog and discussion board posts in LibGuides). This is also where you can allow patrons to self-register for accounts.
  • Manage LibAuth authentication: you can connect your institution's authentication system to LibAuth, allowing you to require authentication for things like accessing E-Reserves or submitting LibCal Space bookings.
  • Manage LibApps search sources: you can add, edit, or remove search sources available on your LibGuides and LibAnswers search results pages. You can also adjust the relevancy weighting for your search results, as well.
  • Manage social channels integration: you can connect your Facebook, Twitter, or Pinterest accounts to LibApps and use them to share new content (such as guides or blog posts) on social media, or receive and reply to messages and tweets within LibAnswers.
  • Manage the LibApps LTI Tool: if you have LibGuides CMS, you can use the LibApps LTI Tool to integrate your LibGuides content in your LMS (such as Canvas, Blackboard, and Moodle).

Am I a LibApps admin?

If you are an Admin-level user in LibCal, LibGuides, or another Springy app, you may not necessarily be an Admin for your LibApps settings. That's because permissions are managed independently in each. To check if you are a LibApps admin:

  1. When viewing the LibApps dashboard, your name will be listed in the My LibApps box.
  2. You will also see the Admin menu in the command bar on the LibApps dashboard, as well.

LibApps admin menu

What if nobody is listed as an admin, or our admin left?

  • If your system currently lacks an admin: please contact Springy Support and we can assign new admins to your system.
  • If your system currently has an admin, but you just want to add additional admins: please contact your current admin and they can assign admin permissions to more users via Admin > Manage Accounts.

Accessing your LibAuth settings

LibApps Admin users can add and manage new configurations by going to LibApps > Admin > LibAuth Authentication.

Navigating to the Manage Authentication page

SAML, Shibboleth, & ADFS configurations

Security Assertion Markup Language (SAML), Shibboleth, & Active Directory Federation Service (ADFS) are by far the easiest configurations to setup and maintain, especially if you belong to a federation such as InCommon or the UK Federation (of which Springshare is a member). These systems also support the use of group permissions for fine tuning your authentication (i.e. restricting access to specific types of users, such as students or faculty).

  • Do you belong to InCommon or UK Federation? If so, you can take advantage of our express setup -- when prompted, all you need to do is select your institution from the member list.
  • If your site does not automatically add InCommon service providers, your IT staff must add Springshare as an authorized service provider using the appropriate Entity ID for your region. (You will find a link to the Entity ID at the top of the Configuration tab in your SAML configuration's settings.)
  • If you are using SAML via Okta to log into LibApps, please note that LibApps cannot read cookies written by Okta. As a result, LibApps would not know whether or not a user was already logged in (i.e. users will still need to click the link to your LibAuth configuration on your LibApps login page).
  • ​If you are using OpenAthens, it is possible to set it up manually using SAML. However, please note that Springshare is unable to provide support for OpenAthens configurations.

InCommon or UK Federation members

Other SAML systems

Shibboleth

ADFS

CAS configurations

Similar to SAML, Central Authentication Services (CAS) is a cinch to set up and also supports the use of groups, as well. LibAuth currently supports the CAS 2.0 and 3.0 protocols. When setting up your configuration, LibAuth will give you the appropriate provider URL for your region. Before you can begin using your CAS configuration, your IT staff must add Springshare as an authorized service provider using this URL.

Learn more

LDAP configurations

Although Lightweight Directory Access Protocol (LDAP) is supported, it's far more complicated to set up compared to SAML, Shibboleth, ADFS, or CAS. If your institution has those services available, we recommend using them instead. Please note that, unlike SAML and CAS, group permissions are not supported with this method, either.

Before you can begin using LDAP, your IT staff must make sure that your LDAP server port (typically 389, 636, or 3269) is open to our server's IP address for your region (which you can find under the Configuration tab of your LDAP configuration settings).

When configured, users will be taken to a LibAuth login form to authenticate via your LDAP system. You will be able to customize parts of this page in your configuration's settings.

Learn more

SIP2 configurations

If your ILS supports Standard Interchange Protocol v2 (SIP2), you can use this to allow patrons to sign in using their library cards and PINs. Group permissions are also supported with this method.

Before you can begin using SIP2, your IT staff must make sure that your SIP2 port (usually 6000, 6001, or 6002 depending upon your ILS) is open to our server's IP address for your region (which you can find under the Configuration tab of your SIP2 configuration settings).

When configured, users will be taken to a LibAuth login form to authenticate via your SIP2 system. You will be able to customize parts of this page in your configuration's settings.

Learn more

Self-hosted configurations

Have you created your own custom authentication system? We can support that, too! Because these self-hosted systems are inherently customized, though, it may be more complicated to add these to LibAuth than CAS, SAML, or SIP2. Please note that, unlike SAML and CAS, group permissions are not supported with this method, either.

Before you can begin using your self-hosted configuration, check with your IT staff to ensure that your firewall allows access to the LibAuth server's IP address for your region (which you can find under the Configuration tab of your self-hosted configuration settings). In addition, your system will need to return a response in either JSON (recommended) or Text format.

When configured, users will be taken to a LibAuth login form to authenticate via your self-hosted system. You will be able to customize parts of this page in your configuration's settings.

Learn more

SirsiDynix Symphony configurations

If the Symphony Web Services API is enabled for your SirsiDynix Symphony system, you can use it to authenticate via LibAuth (please consult Symphony documentation or support to enable the Web Services API in your instance of Symphony). Please note that, unlike SAML and CAS, group permissions are not supported with this method.

Before you begin using your Symphony configuration, you will need to obtain the URL for your Symphony API and your Symphony Client Identifier.

When configured, users will be taken to a LibAuth login form to authenticate via your Symphony system. You will be able to customize parts of this page in your configuration's settings.

Learn more

Innovative Polaris configurations

If the Polaris Web Services API is enabled for your Innovative Polaris system, you can use it to authenticate via LibAuth (please consult Innovative Interfaces documentation or support to enable the Web Services API in your instance of Polaris). Please note that, unlike SAML and CAS, group permissions are not supported with this method.

Before you begin using your Polaris configuration, you will need to obtain the domain name, access ID, and access key for your Polaris system. If you want to limit the patron lookup to a specific branch or library, you will also need its organizational ID.

When configured, users will be taken to a LibAuth login form to authenticate via your Polaris system. You will be able to customize parts of this page in your configuration's settings.

Learn more

OAuth 2 configurations

LibAuth supports authentication via an OAuth 2 application. Similar to SAML and CAS configurations, OAuth 2 configurations also support the use of group permission rules.

Before you begin using your OAuth 2 configuration, please note that LibAuth supports the Access Code grant type for user logins. In addition, you will need to use the provided redirect URL for your region when setting up your OAuth 2 application. You can find the redirect URL under the Configuration tab of your OAuth 2 configuration settings.

Learn more

Restricting access to a group or subset of users

With group permissions, you can further restrict access to only certain groups of users. This works by defining an attribute for LibAuth to check and providing a list of allowed values. Here are some examples:

  • Restrict to a specific type of user: for example, if you have an attribute called "type", you could tell LibAuth to only allow users with a type of "faculty"
  • Restrict users in a specific department (such as the library): similar to the above, perhaps you have an attribute called "department". You could tell LibAuth to only allow users with a department of "library".
  • Restrict to specific users by ID or email: if you want to allow access to a specific set of users, but they don't belong to a subgroup in your SSO, you can tell LibAuth to only allow users with a specific ID, email address, or similar identifier. This can be done by:
    • Uploading a CSV file of allowed values
    • Providing a URL to a hosted CSV file (recommended if you update this regularly)

You can currently create group permissions for the following authentication types:

Each group you create can check one or more attributes from your authentication system. If a user meets one of the allowed values, then authentication will be successful.

With the above configuration types, you can also use group permissions with the LibApps Login feature. This would allow you to let only certain groups to use LibAuth to log into their LibApps accounts.

Learn more

Using LibAuth in your Springy tools

Once you've created and tested your LibAuth configuration, you can begin using it throughout your Springy tools. Below you'll find more info about where LibAuth integrations are available and how to use them.

LibApps

For most configuration types, you have the option of using LibAuth to log into your LibApps system. This option can be enabled directly in your LibAuth configuration's settings. For the login functionality to work:

  • You must release the correct email attribute to LibAuth from your authentication system.
  • Users must have a LibApps account in the system using the same email address that is being returned by the email attribute.

If a person's email addresses do not match, they can always update their LibApps account's email address on the My Account page. LibApps admins also have the ability to update email addresses from Admin > Manage Accounts (this has to be done via the LibApps dashboard -- not from each individual app).​

When enabled for a configuration, you can then choose whether to require users to log into LibApps via your LibAuth configuration, or simply provide it as an alternative option on the LibApps login page (which is the default behavior).

LibAnswers

If you have LibAnswers, you can add a LibAuth configuration to your site. This can be used to limit submissions to the question forms for your queues, require a user to authenticate before initiating a new chat with a LibChat widget, or restrict access to the public pages of your FAQ groups. If you are using a SAML/Shibboleth/ADFS or CAS configuration, you can also apply any of your LibAuth group permissions to a configuration in LibAnswers to further restrict access (i.e. a staff-only FAQ group or a chat widget intended only for graduate-level students).

  • Question forms: you can require authentication for all submissions made to a queue's question form. When enabled in the general settings for a queue's question form, all users will be required to authenticate with LibAuth before they're able to submit a question.
  • Chat widgets: for any chat widgets added to your site, LibAuth can be enabled to require a user to authenticate before initiating the chat session. Authentication is controlled at the individual chat widget level (via the widget builder), allowing you to have widgets that require authentication and widgets open to anyone.
  • FAQ groups: for each FAQ group, including your default group (aka your LibAnswers home page), a LibAuth authentication rule can be put in place to require users to login before accessing your FAQ Group's public pages.

LibCal

You can require patron authentication in various parts of LibCal, giving you the peace of mind that only valid patrons are able to use your services. It also helps ensure that you are recording accurate patron information, as well. If you use SAML, Shibboleth, ADFS, or CAS, you can also use groups to further restrict access to certain spaces, equipment, etc.

LibGuides

If you have LibGuides CMS, you can add LibAuth access rules to your system. These can be used to restrict access to individual guides, groups, or your entire site. This will require users to authenticate before accessing the restricted content. If you are using a SAML/Shibboleth/ADFS or CAS configuration, you can also apply any of your LibAuth group permissions to an access rule to further restrict access (i.e. a staff-only guide or group).

If you subscribe to the E-Reserves module, you can also require patron user authentication for viewing E-Reserves course content. This can apply this as a system-wide default, or simply enable LibAuth for individual courses. If supported by your type of LibAuth configuration, you can even use group permissions restrict access to certain courses to only certain groups of users.

LibWizard

If your library subscribes to the Full version of LibWizard (Forms & Surveys + Quizzes & Tutorials), your Admin can enable LibAuth authentication for your LibWizard system. This gives you the option of requiring users to authenticate via your institution's authentication system (which is connected to LibAuth) before they can view and submit your public forms, surveys, quizzes, and tutorials. If a user is unable to authenticate, then they will be denied access. If your LibAuth configuration supports it, you can also further restrict access by applying a group permission rule.

You can also use the LibAuth integration to automatically fill out a Name field and Email field in your form, survey, quiz, or tutorial. When a user authenticates, their email address and (optionally) first & last names will be passed to LibAuth from your institution's authentication system. If you choose to enable this option, LibAuth will insert those values in a designated Name and Email field. This can both save the user time when filling out a form that requests contact information, while also helping you ensure that the info you're receiving is accurate.

If your library doesn't subscribe to the Full version of LibWizard, contact our Springy Sales Team for to learn how you can upgrade.