Ex Libris Identity Service

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

The Ex Libris Identity Service is based on a dedicated identity management solution. This service replaces the internal authentication method previously used Alma customers. All passwords for internal Alma users are stored in the Ex Libris Identity Service, which is hosted by Ex Libris in its data centers. For more information on this service, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/exl_identity_service.

The following password considerations are applicable with the Ex Libris Identity Service:

The password strength cannot be configured.
The password does not have an expiry date.
The password locks for 30 minutes after 15 unsuccessful login attempts.
When a staff user enters a wrong user and password combination on the Alma login page, the error message includes a Forgot password? link, which links to the reset password page. In order to display a Forgot Password option in Primo/PrimoVE, a configuration update is required. For more information, see the knowledge article, How to add a 'Forgot My Password' link to the login page in the new UI when using Alma for authentication.

Identity service labels can be configured in the Internal Login Messages code table. See Configuring Identity Service Labels.

For Alma users, a Reset Password Letter is sent to an individual user by selecting the Reset your password for the identity service option in the Send message drop-down list on the User Details page. The letter is sent to a group of users by running the Update/Notify Users job and selecting the Identity Service mail option in the Send notification to user drop-down list on the job parameters page.

The new password must be at least eight characters long and cannot include the user name or any commonly used password.
When the Reset Password letter is sent by the Update/Notify Users job or from the Send Message drop-down list, the link is active for twenty-four hours. When the letter is sent from the Forgot Password? link, it is active for one hour.
In the Reset Password screen, users are asked to enter their user names or email addresses. If users enter their user names, emails are sent to the users' preferred addresses. If users type in email addresses, the system searches for the specified email addresses and if they are located, uses these email addresses even if they aren't the preferred addresses. If an email address is not located or belongs to more than one user, no email is sent.

For more information on logging into Alma, see Logging Into and Out of the User Interface.

Multi Factor Authentication (MFA)

This feature requires the mfa_for_alma_hep parameter to be enabled (see User Settings).

It is possible to configure Alma to recommend (or enforce) the use of multi-factor authentication (MFA).

Recommending MFA

This requires the mfa_for_alma_hep parameter to be set to "suggest" (see User Settings).

To Recommend MFA:

When logging in for the first time after setting the mfa_for_alma_hep parameter to "suggest", the user is prompted with the regular username and password.
After logging in, a message appears recommending that the user enable multi-factor authentication.
The user can ignore the message or cancel it using the X button, or they can select Enable.
If the user selects Enable, a message prompts the user to Ignore or Confirm. This message includes the user email address/es to which the login link will be sent.
If the user selects Confirm, the next time they login, a login link is sent to their email/s and a message appears letting them know that the link was sent.

If the user selects Ignore, the MFA recommendation message will be displayed each time the user logs in.
The message will appear each time the user logs in (after validating their username and password).
(New for May) The link is active for 10 minutes. Activating the link directs the user to the product home page. (New for May) Note that the link is usable only in the same browser from which the login flow started.
Users can also enable/disable MFA from the User Management Information page at Admin > Manage Users > Staff > User Management Information.

The Enable Multi-factor authentication checkbox.

Forcing MFA

This requires the mfa_for_alma_hep parameter to be set to "force" (see User Settings).

To Force MFA:

After setting the mfa_for_alma_hep parameter to "force", all users will be required to authenticate with MFA.
When logging in, users will be prompted with the regular username and password authentication.
A link will be sent to the user's email before entering the product (from the login page), and a message will appear.
(New for May) The link is active for 10 minutes. Activating the link directs the users to their product home page. (New for May) Note that the link is usable only in the same browser from which the login flow started.

With the mfa_for_alma_hep parameter set to "force", there is no way to turn off the MFA flow for a specific user.