Koha Question of the Week: What authentication options are available with Koha?

by Kalleen Marquise on Aug 27, 2021

Each Friday, we will bring you a new Koha Question of the Week. We will select real questions that we receive and share the answers with you!

Question: What Authentication Options are Available with Koha?

We get this question often, especially when we are speaking with libraries new to Koha! We see this request for authentication options especially with Academic and Special Libraries.

Koha offers several options for external authentication services which allow users to sign in. LDAP, CAS, Google OAUTH, SAML, and Open Athens (EBSCO) to name a few.

This information is excerpts from a blog post by Nick, one of our Developers.

CAS: When CAS is enabled a new link is added to the Koha sign in form. Users with a CAS account will click this link, be directed to your sign on solution, and then checked against existing Koha users. Local sign on is still an option, however, we can hide or customize the login form to highlight SSO or hide local links.

Google OAuth: When Google OAuth is enabled a new link is added to the Koha sign in form. Users with a Google account will click this link, be directed to your sign on solution, and then checked against existing Koha users. Local sign on is still an option, however, we can hide or customize the login form to highlight SSO or hide local links.

LDAP: LDAP allows patrons to use the built-in Koha sign in form. Users will enter their username and password - these credentials are the used to look up and match a user in the LDAP server. If an LDAP user is found we then search for a corresponding Koha user and log them in if found. If the ldap lookup fails, or the credentials don't match, the username and password are then checked against the Koha database directly and the user is signed in if the credentials are valid.

Open Athens (EBSCO): EDS/OpenAthens both have koha plugins that support connecting the catalog to these resources. OpenAthens can allow users to sign in once and access various external databases as configured in OpenAthens. It is worth noting these here as they are often a concern for SSO solutions. OpenAthens also supports the SAML protocol as an SSO itself.

SAML: When SAML is enabled a new link for 'Shibboleth sign on' is added to the Koha system. Users with a SAML account will click this link, be directed to your sign on solution, and then checked against existing Koha users. Local sign on is still an option, however, we can hide or customize the login form to highlight SSO or hide local links

Related Resources

Setting Up Single Sign-On / Authentication Options for Koha

One of our library partners, Myka Kennedy Stephens of Lancaster Theological Seminary, put together a wonderful presentation on Implementing OpenAthens Single Sign-On Authentication