Ameritech Library Services

Remote Patron Authentication

Joint Application Development (JAD)

Call for Participation

Remote Patron Authentication (RPA)

Product Overview	Patron Authentication and Resource Sharing System (RSS)
Database Providers	Criteria for JAD participation
Statistics	Application form
	Screen Shots

At the Summer ALA conference in New Orleans, Ameritech Library Services showed a prototype of Remote Patron Authentication (RPA) ....described in the 1999 Dynix Product Plan and the 1999 Horizon Product Plan. After gathering some feedback from ALS customers and testing with database providers, we are now ready to create a JAD team to review product specifications and prototypes.

Product Overview

This new product is intended to mediate connections to Web-based content providers and will detect whether the user is initiating a search from within the library or outside the library. If the request is initiated from outside the library via a web browser, RPA performs two important functions:

authenticating patrons dynamically for remote access to library-licensed databases; and
passing certified requests to the Web-based database provider.

Note: If the search is initiated from a workstation within the library, RPA detects it and will allow the user to immediately access the Web-based database, knowing that the database providers do IP filtering for in-library patrons.

1. Authenticating the patron

When attempting to access restricted web resources from outside the library’s domain, the user would be prompted to enter his/her library barcode, pin, id#, or other identifier. RPA then uses this information to authenticate the user with the system’s patron database, and can restrict users based on patron group, registration location, expired library card, fine/fee limit, exceeding a lost book or overdue number limit or other factors specific to the patron database. After the patron is validated, the browser will display all the licensed databases that the patron is qualified to access. If the patron is not validated, the browser will display a library-specific message about why access has been denied. NOTIS supports more types of patron qualifiers than listed. We will be using all of them in our iteration of RPA.

2. Certifying the request to database providers

As the patron selects one of these licensed databases, he or she is allowed access to the database. RPA passes a certified request through to the database provider in the HTTP message. This certification would happen using one of the following methods:

RPA passes a "Referring URL" to the database provider. Remember, patrons can only access this "Referring URL" page if they have been authenticated as valid library patrons.
RPA passes an imbedded username and password in the URL to the database provider. Again, patrons can only click this resource if they have been authenticated as valid patrons in the system.

We are also investigating the implementation of digital certificates and are interested in pursuing this option as it becomes an industry-wide standard. One source for more information on authentication methods and digital certificates is the Coalition for Networked Information at www.cni.org

Database Providers

Ameritech Library Services provides a test plan for database providers to certify for access through the ALS Remote Patron Authentication. The test plan insures that the database provider supports one of the two conventions mentioned above for receiving certified requests from RPA. ALS invites database providers to obtain RPA certification, but has no business relationship with the database providers to license, resell, or otherwise distribute their databases. Remote patron access to these databases is controlled exclusively by a license granted to the library by the respective database provider, not by Ameritech Library Services.

If your library licenses databases other than with the providers listed here, contact those providers to ask about their intent to obtain RPA certification. Database providers may request an RPA test plan from Ameritech Library Services.

Database Providers RPA Certification Status Ameritech Library Services Updated July 1, 1999
Database Provider	Status of RPA Certification
ABI Inform (see Reference USA)
Bell & Howell Information & Learning (see UMI ProQuest Direct)
College Onesource
EBSCO Host	Certified for RPA
Electric Library
Enc. Brittanica	Test in process
Gale Group	Test in process
Grolier Online (includes Enyclopedia Americana, Grolier Multimedia Encylcopedia and New Book of Knowledge)	Test in process
IAC (same as Gale Group)
JSTOR	Provider has test plan
Lexis/Nexis	Provider has test plan
NoveList	Certified for RPA
OCLC FirstSearch	Test in process
Ovid	Certified for RPA
Reference USA	Will certify in Fall, 1999
RR Bowker (Reed Elsevier)	Provider has test plan
SIRS Discoverer and Knowledge Source	Certified for RPA
Silver Platter WebSPIRS	Provider has test plan
Stat USA	Provider has test plan
UMI Proquest Direct	Certified for RPA
UnCoverWeb	Certified for RPA

Statistics

Based on customer feedback to date, the following statistics are being planned for the first release of RPA.

What patron groups accessed which databases at which times;
How many patrons were refused access and for what reasons.

ALS participated in discussions at ALA New Orleans about other access statistics and will be discussing those with the JAD team. Note: Statistics on usage and searching patterns once the patron accesses a licensed database should be obtained from the database provider.

RPA will also update the "Last Used" field in the Dynix, Horizon, or NOTIS patron record to insure that patrons who may use resources remotely (and may never actually circulate library materials) are identified as current, active patrons. In this way, remote patrons are prevented from being purged by "Last Used" criteria.

Patron Authentication and Resource Sharing System (RSS)

Remote Patron Authentication (RPA) for remote access to licensed databases should not be confused with the process to authenticate patrons for ILL purposes. The Resource Sharing System (RSS) from Ameritech Library Services provides for patron-placed ILL requests through various PAC products. In order to authenticate patrons for ILL requests and loans, the Resource Sharing System uses one of two methods.

The Resource Sharing patron authentication for Dynix, Horizon, and NOTIS systems communicates patron information with a methd proprietary to each of those systems.

The Resource Sharing patron authentication for patron files residing on non-Ameritech systems is most likely to communicate with the SIP 2.0 protocol (created by 3M), the current de facto industry standard in the U.S.

ALS is also an active participant in the NISO Circulation Working Group developing a standard protocol that encompasses patron authentication.

Criteria for JAD Participation

Participants in this JAD project will be reviewing functional specifications and prototypes. Some JAD participants will continue their involvement through beta testing. All JAD participants need to meet the following criteria:

Expertise and experience in access to Web-based resources;
Access to e-mail and the Web;
Ability to respond quickly (within 48 hours) to questions;
Willingness to share ideas and reach compromises;
Ability to review specifications and prototypes to provide written feedback, primarily by e-mail;
To participate in beta testing, your site must be able to load RPA software on an NT or SUN Solaris Web or WebPAC server.
To participate in beta testing, a Dynix site must be using at least UniVerse 8.3.3.1G, a Horizon site must be using at least Sybase 11.0.3.3, and a NOTIS site must be on release 6.5.

Timetable

This project is following an aggressive timeline calling for general release of the product by September 1999.

Return to Remote Patron Authentication

Updated August 27, 1999