Advanced PDS Topics Andrew Walsh Team Lead, NA Primo Support Teams andrew.walsh@exlibrisgroup.com 1
Copyright Statement All of the information and material inclusive of text, images, logos, product names is either the property of, or used with permission by Ex Libris Ltd. The information may not be distributed, modified, displayed, reproduced in whole or in part without the prior written permission of Ex Libris Ltd. TRADEMARKS Ex Libris, the Ex Libris logo, Aleph, Alma, SFX, SFXIT, MetaLib, DigiTool, Verde, Primo, Voyager, MetaSearch, MetaIndex and other Ex Libris products and services referenced herein are trademarks of Ex Libris, and may be registered in certain jurisdictions. All other product names, company names, marks and logos referenced may be trademarks of their respective owners. DISCLAIMER The information contained in this document is compiled from various sources and provided on an "AS IS" basis for general information purposes only without any representations, conditions or warranties whether express or implied, including any implied warranties of satisfactory quality, completeness, accuracy or fitness for a particular purpose. Ex Libris, its subsidiaries and related corporations ("Ex Libris Group") disclaim any and all liability for all use of this information, including losses, damages, claims or expenses any person may incur as a result of the use of this information, even if advised of the possibility of such loss or damage. Ex Libris Ltd., 2014 2
Agenda 3
Introduction Who am I? 4
A Quote 5
Agenda 6
General Notes It s Just Perl If you can do it in Perl All responses are in XML PDS does not decide It only provides information Applications use the information to decide Sessions Application Sessions PDS Sessions Any connection is done by the Application R.T.F.M. Constant improvements to the documentation For example, the diagram on page 15 (January 2015) 7
PDS Versioning Application PDS 1.3 PDS 2.0 PDS 2.1 Primo All 3.0.2+ 3.1.1+ Aleph 18.01+ 20.2.2+ 21.1+ Voyager * 8.0+ 8.1+ MetaLib 3+ 4.4+ 4.4.3+ Rosetta All 2.1.1+ 2.2+ DigiTool - 3.3+ 3.3+* 8
Agenda 9
General Notes on CAS Remote Login Only PDS redirects the user to an external system The external system is a CAS protected version of PDS Only uses [LOAD_LOGIN] (i.e. the send away service) Patron Information must come from another source CAS handled by Apache ExLibris provides an Apache Perl Module The Apache Perl Module restricts access unless provided CAS tickets Sessions Application Sessions PDS Sessions PDS Sessions CAS Sessions CAS sessions are kept in an Oracle table Logout CAS sessions can only be removed by Apache After logout from CAS you must return to PDS 10
PDS Flow CAS High Level New Application Session Send user to PDS for SSO check <<SSO>> User returns from SSO check User returns from PDS with a PDS Session <<LOAD_LOGIN>> User sent to PDS for Login User clicks Login Application requests Patron Information from PDS <<BOR_INFO>> Application gets Patron Information Authenticated Application Session with Patron Information 11
PDS Flow CAS Login CAS data from Apache? Apache CAS session in Oracle? YES NO YES NO Create PDS Session Redirect to CAS protected PDS Add ID to Apache data Direct user to CAS Pass request to PDS Save CAS session in Oracle Save ID from Apache Apache CAS session in Oracle? Add ID to Apache data Return PDS_HANDLE Pass request to PDS 12
PDS Flow CAS SSO CAS data from Apache? Direct user to CAS for SSO YES NO Signed in to CAS? Create PDS Session Redirect to CAS protected PDS NO YES Save ID from Apache Apache CAS session in Oracle? Return PDS_HANDLE YES NO Pass request to PDS Save CAS session in Oracle Add ID to Apache data Direct user to CAS for SSO Return as Guest Add ID to Apache data Pass request to PDS Pass request to PDS 13
PDS Flow CAS Logout Logout Request Redirect to [REMOTE_LOGOUT] Destroy CAS cookie CAS completes logout Apache passes the logout request to PDS Apache removes the CAS session from Oracle CAS redirects back to CAS protected PDS PDS destroys the PDS session User redirected back to calling application / [REDIRECT_LOGOUT] 14
Agenda 15
General Notes on Shibboleth Remote Login AND Patron Information PDS redirects the user to an external system The external system is a Shibboleth protected version of PDS Only uses [LOAD_LOGIN] (i.e. the send away service) Handled by Apache & Shibboleth Shibboleth software must be installed on the server The Shibboleth software restricts access unless authenticated Sessions Application Sessions PDS Sessions PDS Sessions Shibboleth Sessions Logout Shibboleth sessions can only be removed by Apache After logout from Shibboleth you must return to PDS 16
PDS Flow Shibboleth High Level New Application Session Send user to PDS for SSO check <<SSO>> User returns from SSO check User returns from PDS with a PDS Session <<LOAD_LOGIN>> User sent to PDS for Login User clicks Login Application requests Patron Information from PDS <<BOR_INFO>> Application gets Patron Information Authenticated Application Session with Patron Information 17
PDS Flow Shibboleth Login Shibboleth data from Apache? Apache Shibboleth session? YES NO YES NO Create PDS Session Redirect to Shibboleth protected PDS Add Patron Data to Apache Pass request to PDS Direct user to Shibboleth Save Shibboleth session Save Patron Data from Apache Apache Shibboleth session? Add Patron Data to Apache Return PDS_HANDLE Pass request to PDS 18
PDS Flow Shibboleth SSO Shibboleth data from Apache? Direct user to Shibboleth for SSO YES NO Signed in to Shibboleth? Create PDS Session Redirect to Shibboleth protected PDS YES NO Save Patron Data from Apache Apache Shibboleth session? Return PDS_HANDLE YES NO Pass request to PDS Save Shibboleth session Add Patron Data to Apache Direct user to Shibboleth for SSO Return as Guest Add Patron Data to Apache Pass request to PDS Pass request to PDS 19
PDS Flow Shibboleth Logout Logout Request Redirect to [REMOTE_LOGOUT] Destroy Shibboleth cookie Shibboleth completes logout Apache passes the logout request to PDS Shibboleth session removed Shibboleth redirects back to protected PDS PDS destroys the PDS session User redirected back to calling application / [REDIRECT_LOGOUT] 20
Agenda 21
PDS on Port 80 & Port 443 Not recommended Apache must be reconfigured to run as root Start/stop requires root-level access Solution Use ports 8991 and 1443 Map 80 and 443 to these high ports IP Tables Network Firewall or Load Balancer Double check how PDS and your Application call PDS 22
Port Collision One process = One port Port 80 cannot be shared Ports are specific to an IP Address Solutions SSL Second IP address (with DNS name) Layer-7 aware device 23
Port Collision Solutions SSL Application uses port 80 (mapped to its port) PDS uses port 443 (mapped to port 1443) Second IP address (with DNS name) Application uses 1.1.1.1:80 PDS uses 2.2.2.2:80 Update PDS & Application with the new DNS name Layer-7 aware device Examines HTTP request Routes request based on incoming URL Approved but not Supported 24
A word on mod-jk, Primo, & PDS History Originally setup & recommended mod-jk Ran Apache on port 80 Redirected requests to Primo or PDS based on URL Problems Poor Performance Unusual errors Down Systems 25
mod-jk is NOT approved & NOT supported 26
Agenda 27
Traditional Setup (PDS 1.3) Overview PDS runs on a single machine All Applications point to that machine Benefits Supported for all versions of PDS Centralized customization Can be configured manually (i.e. no PDS Wizard) No Multiple Domain problem Disadvantages Single point of failure Must move PDS to use a new version with an application No High Availability Patrons must re-authenticate following failure 28
PDS 1.3 Topology Rosetta PDS Software PDS Configuration Primo PDS Software PDS Configuration Aleph PDS Software PDS Configuration 29
High Availability Setup (PDS 2.0) Overview PDS runs on each Application machine All PDS configuration is in Oracle All PDS sessions are in Oracle Benefits High Availability Applications use their own version of PDS Simpler Networking Single point of failure move to Oracle Easier integration of new Applications Disadvantages Single point of failure moved to Oracle Must use PDS Configuration Wizard Customizations must be repeated on each server Multiple Domains Issue Collating logs across several servers 30
PDS 2.0 Topology Rosetta Primo PDS Software PDS Configuration PDS Software PDS Configuration Aleph PDS Software PDS Configuration PDS Configuration PDS Sessions Oracle Database 31
Agenda 32
Levels of HTML Customization 33
Customization Tricks Use Multiple Institutes for multiple login methods All HTML pages can be customized This includes those used for redirects Add or remove a cookie Add links to other login methods (i.e. another Institute) All Service Programs can be customized Change how requests are made Alter data received before mapping This is the only way to delete unwanted data Use Mapping to customize the data Mapping never deletes any data New elements can be created conditionally or unconditionally 34
Agenda 35
Additional Notes Upgrades CAS & Shibboleth configurations may not be preserved Redo the CAS or Shibboleth setup following major upgrades Multiple Domains (2.0 Topology) PDS Sessions are tied to the PDS server Therefore they are tied to a domain name SSO across domains requires PDS have a single domain Multiple PDS Institute Codes Define a default institution Ensure a PDS Institute Code exists only once Use Mapping instead of multiple PDS Institute Codes 36
Agenda 37
Resources Patron Directory Services Guide Patron Directory Services Upgrade Guide Application specific documentation 38
Thank You! Thank You! andrew.walsh@exlibrisgroup.com 39