Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    The Primo Authentication Manager

    If you are working with Primo VE and not Primo, see Configuring User Authentication for Primo VE.

    The Primo Authentication Manager supports the authentication of users using SAML, LDAP, and Alma. Login profiles allow you configure the authentication stages separately so that you can specify different systems for each. The following features are available with the Primo Authentication Manager:
    • Login Profile – Each login profile includes the definitions for both user authentication and user information so that you can define user authentication with one system and fetch user information from another system. For example, you can configure the profile to authenticate users with SAML (such as Shibboleth) and fetch user information from Alma.
    • Parallel Login – defines two login profiles for different groups within an institution. For example, if students and staff authenticate using Shibboleth (SAML) and temporary library users that are registered in Alma authenticate using Alma, you can define two profiles: one for SAML and another for Alma. The Primo sign-in page will display both sign-in options.
    • Cascading Login – You can configure multiple login profiles that are assigned an order of precedence. This allows you to attempt authentication with the profile with the highest precedence and then attempt authentication with the login profile with the next highest precedence if authentication was unsuccessful. Cascading logins are possible only when Primo interfaces directly with the authentication system and the login page is a Primo page, which is provided with LDAP and Alma authentication only.

    Defining Login Profiles (User Authentication and User Information)

    Login profiles include the definition of user authentication and user information using the supported authentication systems: SAML, LDAP, or Alma.
    The User Authentication Wizard Page includes the following elements:
    • Owner drop-down list – For on-premises Primo installations, you can create login profiles at the installation level as well as the institution level. Login profiles are generally defined at the institution level. If an institution does not have its own profile, it will inherit the profile that is defined at the installation level.
    • Active Login Profiles – Yo can activate up to five parallel logins: a main profile and four additional profiles.e and up to four additional parallel profiles.
    • Profiles List – The list of login profiles that you have created. For each profile, the list displays the profile name, the authentication method, and the user information method. You cannot delete profiles that have been activated in the Active Login Profiles section.
    • Create a New Login Profile – This option allows you create a new login profile.
    To define a login profile:
    1. Open the Login Profiles page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard).
      LoginProfilesPage2.png
      Login Profiles Page
    2. For on-premises installations only, if you have installation-level permissions, select Installation or a specific institution from the Owner drop-down list.
      For institution-level staff users, your institution is selected automatically.
    3. In the Create a New Login Profile section,specify a profile name and then click the Create button.
      The Login Profiles configuration page opens.
      Login Profiles - Select Authentication Method
    4. From the Select the Authentication Method drop-down list, select the authentication method (SAML, LDAP, or Alma).
      The method-specific fields appear on the page. For example, the following fields appear for LDAP profiles.
      Login Profiles - LDAP User Authentication
    5. Fill in the method-specific fields for the user authentication stage. For more information, see the following sections:
    6. From the Select User Information Method drop-down list, select the user information method (SAML, LDAP, or Alma).
    7. Click Save and then re-edit the login profile to configure attribute mapping.
      The Attribute Mapping button appears on the Login Profiles configuration page.
      Attribute Mapping Button Added
    8. Click the Attribute Mapping button to configure how the user attributes are mapped from the user information system to Primo. For more information, see Attribute Mapping.
    9. Click Save to return to the Login Profiles page.
    10. If you want to activate the profile, define it as one of the Active Profiles under the Active Login Profiles section.
    11. Deploy the User Authentication Configuration option on the Deploy all page.

    Defining Parallel Login Profiles

    If you have user groups that require different authentication methods (or if you want to provide users with alternative methods of user authentication), you can select one authentication method from the Main Profile drop-down list and up to four additional authentication methods from the remaining drop-down lists in the Active Login Profiles section. If more than one profile is activated, Primo will display a Parallel Links page in the Front End UI, which allows end users to select an authentication method.
    ActiveLoginProfiles2.png
    Parallel Login Profiles

    Defining Cascading Profiles

    Cascading profiles allow you to authenticate users with a series of authentication methods (LDAP and Alma only) if an authentication attempt is rejected by a system. Subsequent authentication attempts are performed automatically using the next login profile defined in the cascading profile.
    To create a cascading profile:
    1. Add a profile for each type of authentication method that you want to cascade. The following authentication methods are supported: Alma and LDAP.
      After you have defined at least two login profiles of the supported authentication methods, the Create a New Cascading Profile drop-down list will appear.
      CC_LoginProfiles1.png
      Login Profiles - Creating a New Cascading Profile
    2. Enter a name for the cascading profile in the Create a New Cascading Profile field and click Create.
      The Create Cascading Profile pages opens.
      CC_Profile_Selection1.png
      Create Cascading Profile - Select First Profile
    3. Select the first login profile to use for authentication from the Profile #1 drop-down list.
      The system displays the next Profile drop-down list.
      CC_Profile_Selection2.png
      Create Cascading Profile - Select Next Profile
    4. Select the next login profile to use for authentication from the Profile #2 drop-down list.
      The system displays the Profile #3 drop-down list.
    5. If necessary, select the next login profile to use for authentication from the next Profile drop-down list.
    6. Click Save to save your cascading profile.
      The new cascading profile appears in the list of login profiles.
      CC_ProfilesList.png
      New Cascading Profile Added
    7. In the Active Login Profiles section, select the new cascading profile from the relevant Profile drop-down list.
    8. Click Save.

    Clearing Active Login Profiles

    The Active Login Profiles section on the Login Profiles page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard) allows you to specify the active login profiles and the order in which they appear on the User Login page. To clear all active profiles, click the Clear button.
    This action does not delete the login profiles listed in the Profiles section
    ClearActiveProfiles.png
    Clearing All Active Login Profiles