Skip to main content
Computers in library

The Complexities of Authentication on University Library Websites

Filed Under: Libraries

Who is allowed to access an academic library's website? This often turns out to be a complicated question. Copyrighted materials are often licensed only for use within the institution, or just to select groups. Authenticating users and determining authorization involves more than just getting a user ID and a password.

Keeping things simple by hiding the complexity

It's important to keep the appearance simple, especially for new students. A library site that's difficult or intimidating to use isn't of much use. With a huge number of new students coming in every year ago, the IT staff doesn't want to be buried in requests for help. There should be a single sign-on for all library services, rather than making them log in again for each of the online services the library maintains.

In many places, on-campus computers automatically have access to most library materials. For machines that belong to the university, this is just a matter of keeping a list of their IP addresses and letting them through without further checking. That's not to say it's a trivial job. A large university has lots of computers, managed by lots of departments. Keeping track of all the addresses that belong to the university is a significant task.

Wireless access points complicate matters further. If they're public and don't require authentication, treating any machines that use them as on-campus devices would be a mistake. People sitting near buildings would be able to take advantage of them and access materials that are supposed to be restricted. Aside from making the rights holders unhappy, that's likely to result in excessively heavy use of Wi-Fi.

When signing on is required

Users accessing restricted materials from public Wi-Fi access points and off-campus locations need to be authenticated. Universities set up authentication systems for access to other services, such as course registration, so the library will normally build on the university system. This may require building some complicated software bridges, but it satisfies the single sign-on requirement. Students and faculty only need to log in once, and then they can access any library services for which they're authorized.

The details vary a lot. Each institution has its own sign-on system. Some work smoothly across all services; others may rely on the service to set up the user interface, and so they'll have a less uniform appearance.

Dealing with the fine grain

Sorting out restricted and unrestricted materials can be messy. Users of Harvard's Image Delivery Service will find a mix of materials which anyone can use and ones which only authorized users can access. They see the list of restricted and unrestricted items, and they aren't required to log in till they try to access a restricted one.

Not everyone on campus necessarily has access to all restricted materials. Materials might be licensed only for use by the biology faculty or the law school. in those cases, the library system will need to check the logged-on user's affiliation. This requires access to additional information on the user's identity.

Students, faculty, and staff will use the library's website to reserve books and other physical materials. In these cases, the site needs to interface with a reservation system that stores individually identifiable requests. In general, though, it's better for the server not to keep a record of users' activity. It only has to check whether they're authorized to access the material, not to remember what they accessed.

Outside services

Libraries provide access to contracted outside services, such as JSTOR and Safari Books. The site has to let authenticated users get access without forcing them to go through another round of logging in. Usually it isn't necessary to identify individuals to the service, only to confirm access rights, but those rights might be restricted to a subset of the user community. This is another case where the software needs to check the user's role and affiliation.

Clearly the handling of authentication and authorization is a large part of the work in developing and maintaining a university library's website. It requires careful planning and coordination with campus-wide IT services.

Since 1999, Rick Cecil has been designing positive user experiences for universities, non-profits, fortune 500 companies, and startups — companies like Scripps Interactive, T-Mobile, AT&T, Motricity, UCLA, Duke University, Fortunoff, La-Z-Boy, and Oxford University Press.

We'd love to partner with you on your next project!

Since we’re big on relationships, we’re all about finding the right fit. Will you take the next step with us to see if we’re a match?

Add new comment