Skip to main content
ExLibris
  • Subscribe by RSS
    • Back
    Alma
    Ex Libris Knowledge Center

    Ex Libris Identity Service

    1. Last updated
    2. Save as PDF
    Translatable
    The Ex Libris Identity Service is based on a dedicated identity management solution. This service replaces the internal authentication method previously used Alma customers. All passwords for internal Alma users are stored in the Ex Libris Identity Service, which is hosted by Ex Libris in its data centers. For more information on this service, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/exl_identity_service.

    The following password considerations are applicable with the Ex Libris Identity Service:

    • The password strength cannot be configured.
    • The password does not have an expiry date.
    • The password locks for 30 minutes after 15 unsuccessful login attempts.
    • When a staff user enters a wrong user and password combination on the Alma login page, the error message includes a Forgot password? link, which links to the reset password page. In order to display a Forgot Password option in Primo/PrimoVE, a configuration update is required. For more information, see the knowledge article, How to add a 'Forgot My Password' link to the login page in the new UI when using Alma for authentication

    Identity service labels can be configured in the Internal Login Messages code table. See Configuring Identity Service Labels.

    For Alma users, a Reset Password Letter is sent to an individual user by selecting the Reset your password for the identity service option in the Send message drop-down list on the User Details page. The letter is sent to a group of users by running the Update/Notify Users job and selecting the Identity Service mail option in the Send notification to user drop-down list on the job parameters page.

    • The new password must be at least eight characters long and cannot include the user name or any commonly used password.
    • When the Reset Password letter is sent by the Update/Notify Users job or from the Send Message drop-down list, the link is active for twenty-four hours. When the letter is sent from the Forgot Password? link, it is active for one hour. 
    • In the Reset Password screen, users are asked to enter their user names or email addresses. If users enter their user names, emails are sent to the users' preferred addresses. If users type in email addresses, the system searches for the specified email addresses and if they are located, uses these email addresses even if they aren't the preferred addresses. If an email address is not located or belongs to more than one user, no email is sent.

    For more information on logging into Alma, see Logging Into and Out of the User Interface

    Multi Factor Authentication (MFA) (New for August)

    This feature requires the mfa_for_alma_hep parameter to be enabled (see User Settings).

    It is possible to configure Alma to recommend (or enforce) the use of multi-factor authentication (MFA).

    Recommending MFA

    This requires the mfa_for_alma_hep parameter to be set to "suggest" (see User Settings).

    To Recommend MFA:
    1. When logging in for the first time after setting the mfa_for_alma_hep parameter to "suggest", the user is prompted with the regular username and password. 
    2. After logging in, a message appears recommending that the user enables multi factor authentication. 

      The Highly Recommend MFA message.
    3. The user can ignore the message or cancel it using the X button, or they can select Enable.
    4. If the user selects Enable, a message appears prompting the user to Ignore or Confirm. This message includes the user email address/es to which the login link will be sent.

      The Ignore or Confirm message for MFA.
       
    5. If the user selects Confirm, the next time they login, a login link is sent to their email/s and a message appears letting them know that the link was sent. 

      The Link sent to email message.

      If the user selects Ignore, the MFA recommendation message will keep displaying each time the user logs in.
       
    6. The message will appear from now on, each time the user logs in (after validating their user name and password).
      The link is active for one hour. Activating the link directs the user to the product home page.
    7. The user can also enable/disable MFA from the User Management Information page at Admin > Manage Users > Staff > User Management Information.

    The Enable Multi-factor authentication checkbox.

    Forcing MFA

    This requires the mfa_for_alma_hep parameter to be set to "force" (see User Settings).

    To Force MFA:
    1. After setting the mfa_for_alma_hep parameter to "force", all users will be required to authenticate with MFA.
    2. When logging in, the users will be prompted with the regular username and password authentication.
    3. Before entering the product (from the login page), a link will be sent to the user's email and a message appears.

      The Link sent to email message.
    4. The link is active for one hour. Activating the link directs the users to their product home page.

    With the mfa_for_alma_hep parameter set to "force", there is no way to turn-off the MFA flow for all a specific user.

     

    1. Back to top
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Documentation
      Language
      English
      Product
      Alma
    2. Tags
      This page has no tags.