Page 213 - Building Digital Libraries
P. 213
CHAPTER 8
for a small number of regular users because of the administrative overhead
it entails for repository managers and users who have to keep track of yet
another account. In addition to administrative concerns, best security
practice is to avoid storing any information about staff and users that isn’t
absolutely essential.
Even if your organization supports SSO or another convenient form of
authentication, you may need to create internal accounts that are associated
with user names from those other systems. For example, if the group attri-
butes in your organization’s Shibboleth or LDAP services don’t correspond
with your access control needs, the group attributes need to be defined in
the local system and associated with local user names, which in turn are
authenticated by Shibboleth, LDAP, or some other service.
IP-Based Authentication
Many systems support IP authentication, and even those that don’t can often
be made to do so via web server configuration. IP authentication is easy to
implement, but it presents the following challenges:
• IP addresses are associated with computers rather than
individuals.
• IP numbers for computers are subject to change.
• IP authentication fails when users or staff connect from
an unexpected address. This can be mitigated with a proxy
server, but then everyone who logs into the proxy server
has the same address.
• On a related note, firewalls and Network Address Transla-
tion (NAT) require assigning the same permissions to all
people from a particular IP address whether or not they
should all have the same permissions.
• IP authentication is a rough tool that is normally used to
control access to entire areas of a system rather than pro-
vide more fine-grained permissions.
Vended Authentication
A variety of vended authentication options are available that support indi-
vidual or multiple methods outlined above, as well as others. Commercial
services can allow libraries to support multiple authentication methods with
much lower overhead and expertise. Some libraries may be able to authen-
ticate repository use by leveraging products they’ve already purchased for
other purposes such as proxying. Make sure your organization’s policies
and security practices allow connections with local and vended services and
exposure to user data before assuming that this is a viable option.
198
