Below are the Single Sign On (SSO) ecologies supported by Infiniti and LibPaths.
Please refer to Clause 3.12e of our Terms and Conditions, which can be found at the bottom of every Infiniti/LibPaths page including the login page. Your SSO is a component of your "third-party or in-house application ecology".
Infiniti and LibPaths can be integrated with several third-party Remote Authentication ecologies. Each authentication ecology (see the list below) is configured internally by your school's IT Team or school's IT Contractors (collectively your IT Team). Once independently configured, your IT Team has the option to integrate your preferred authentication ecology (you SSO) with Infiniti/LibPaths.
Infiniti/LibPaths includes all the tools and inline documentation required for your IT Team to self-integrate with your preferred SSO. Infiniti and LibPaths currently include tools to integrate with:
- Microsoft Active Directory via the LDAP standard (authentication only, no Single Sign On).
- Microsoft Azure via the LDAPS standard (authentication only, no Single Sign On).
- Federated Single Sign On via the SAML 2.0 standard (Vendor neutral, including Active Directory).
- Federated Single Sign On via the OpenID Connect standard (Vendor neutral, including Active Directory).
- Google Accounts via Google's proprietary authentication module
Please note: Security controls in your school network and knowledge of its configuration prevent a Concord Software Engineer from accessing your network independently to investigate and/or integrate your SSO ecology. If you require Concord Technical Support, you can schedule a suitable time for a specialist Concord Software Engineer to share a Zoom webinar with your IT Team. Please advise if this is the case and we will provide a quote for remote technical services.
Below are some guidelines that may help you integrate your SSO ecology with Infiniti.
1. Interim Access - just in case no one can login at the moment
If your library is currently integrated with one of these ecologies and users with active accounts are currently unable to access Infiniti/LibPaths through this ecology; the first thing you should do is ensure that library managers and IT Team are able to access Infiniti/LibPaths without relying on remote authentication, i.e., conventional login with ID and password. This will ensure Infiniti/LibPaths can be used by key staff while any authentication issue is examined.
To access Infiniti/LibPaths directly:
- Open in a new private browser window (to avoid possible cookie issues):
- https://[your library tenant].concordinfiniti.com/login
- You may have to request this page twice if you have SAML 2.0 turned on
- Enter your username as recorded for the user profile you are authenticating with. This may differ from your username in other school systems.
- If you do not know your username and no other librarian has access, please inform Concord Support so we can check who has a librarian administration account.
- Enter your password as recorded in Infiniti/LibPaths. This may differ from your password in other school systems.
- If you do not know your password and your email address has been recorded in your Infiniti account, you can use the "I cannot login" > "Reset your password" action from the login page.
- If you do not have an email address recorded to your Infiniti account, inform Concord Support so we can either assign an email address or generate a temporary password for you.
- If you do not have an account in Infiniti and no other administrative user is able to create one for you, please inform Concord Support and we can create one for you if you are entitled to administrative access.
- Once an administrative library manager has access to Infiniti/LibPaths through this login page, the library manager can create or repair other library manager or IT Team accounts in SETTINGS > Users.
- Reviewing or (re)configuring Remote Authentication modules may also require administrative access to Infiniti/LibPaths by your IT Team with technical knowledge and experience of the relevant remote authentication protocol.
Note: If you have the Microsoft Active Directory LDAP module turned on, entering details into the Infiniti/LibPaths login page will first attempt to authenticate against the remote Active Directory and will only fallback to internal account database if the remote Active Directory does not respond (after 30 – 60 seconds). If the remote Active Directory responds but rejects the user, fallback will not occur. In that case, you can instruct Concord Support to turn off the Microsoft Active Directory LDAP authentication while the cause is investigated by your IT Team; but at the cost of blocking access for other users if the problem proves to be a specific user's account on the school's Microsoft Active Directory server.
2. Investigation by IT Team
Most Remote Authentication problems are:
- connectivity,
- configuration of the local ecology, or
- propagation issues
that must be resolved by your IT Team.
All remote authentication options require a high level of technical expertise within the school; by your IT Team capable of configuring and maintaining the authentication servers or services that Infiniti/LibPaths will communicate to. Your library should only use or keep active remote authentication modules that they can maintain by your IT Team at their disposal.
Each type of remote authentication ecology has different common issues that can arise. Review the advice below for the authentication ecology relevant to your library.
Microsoft Active Directory LDAP
Go to: Administrative Settings > Integrations > Active Directory LDAP
- Check if the hostname, port and directory domains are correct.
- Check that Infiniti has access through relevant firewalls.
- If encrypted LDAP is being used (Strongly Recommended), check that LDAPS is correctly configured for your Active Directory server or Azure cloud service.
- Connectivity be tested with the "Test Connectivity" link on the Infiniti configuration screen for LDAP.
See Also: Setup SSO for Active Directory and LDAP
Azure via LDAPS
Please read this documentation: SSO for LDAPS in Azure
Google Identity Service (Proprietary)
Go to: Administrative Settings > Integrations > Google Sign-In
- Your school's IT staff or contractors must configure and maintain a Google administrator or developer account to act as the school's configuration of Infiniti to be seen by Google as an "application" in your school ecology.
- Only users with a Google Account authorised by your school's IT configuration can use this sign-in method. Only users that have agreed (a Google dialogue prompt) to link their Google and Infiniti accounts are able to login with this sign-in method.
- As a proprietary protocol, Google reserves the right to alter the nature of this authentication and who and how it can be accessed. Schools using this remote authentication option are recommended to have a fallback option.
OpenID Connect
Go to: Administrative Settings > Integrations > OpenID Connect
- Your IT Team must configure and maintain a service provider (vendor terminology may differ) for Infiniti/LibPaths, declared within your authentication server or service's administrative portal. The method of doing so:
- will differ by vendor
- is documented differently by each vendor, and
- your IT Team is expected to familiarise themselves with the relevant vendor's documentation, connectivity, and (potential) subscription requirements.
- If your library has turned on this module as the "Default Authentication Method", we strongly advise that you switch off this module as the default until you resolve any underlying connectivity or configuration problems. However, doing so will rely on users (library managers, staff, or students) being able to access Infiniti through other authentication methods, e.g., manually with user ID and Password.
- If Infiniti/LibPaths cannot re-populate authentication server (identity provider) metadata from the declared "Discovery URL", this module can fail when the authentication server's behaviour changes. The URL's suitability for Infiniti/LibPaths and its availability should be reviewed by your IT Team.
SAML 2.0
Go to: Administrative Settings > Integrations > SAML 2.0
- SAML 2.0 relies on the sharing of configuration metadata between Infiniti (as a Service Provider) and the authentication service (as an Identity Provider). Most problems with using SAML 2.0 for remote authentication are a result of incorrect configuration or an inability for either Infiniti/LibPaths or the authentication service to load or propagate their required metadata.
- Once correctly configured, your service provider (Infiniti/LibPaths) and identity provider (vendor) behaviour will take time to propagate. How long will differ by vendor, but we recommend at least one hour between each re-configuration you believe to be correct.
- If you have turned on this module as the "Default Authentication Method", we strongly advise that you switch off this module as the default until you resolve any underlying connectivity or configuration problems. However, doing so will rely on users (library managers, staff, or students) being able to access Infiniti through other authentication methods, e.g., manually with user ID and Password.
- button at the bottom of the Infiniti/LibPaths SAML 2.0 configuration page will give more information about how Infiniti/LibPaths uses SAML 2.0, how Infiniti/LibPaths configures SAML 2.0, and common problem resolution scenarios. This includes specific information on Azure.
- SAML 2.0 is a technical protocol and documentation and advice on SAML 2.0 is targeted to the IT Team and contractors with sufficient prior familiarity with the SAML 2.0 protocol and their chosen authentication vendor's documentation and quirks.
Guided Technical Support From Concord
If your IT Team is unable to resolve remote authentication issues independently (allowing for connectivity and propagation), Concord may be able to advise or configure vendor-specific remote authentication services as outlined under Clause 3.2(i) in Terms and Conditions. Please submit a ticket requesting a quote.
We offer these guided technical support webinar sessions provided:
- A duly authorised IT Team member or contractor with knowledge of your network ecology is the primary participant in the meeting.
- The representative(s) have access to both their authentication service and Infiniti with administrative privileges.
- The session uses a widely supported webinar platform, e.g., Zoom or MS Teams, agreed upon prior to the meeting; with the ability to share the screen with your IT Team representative(s). We do not require remote control, but general screen visibility of vendor configuration or tools can greatly improve the diagnostic process. By default, we offer webinar/video sessions through Zoom.
- Meeting time and participants are propagated by email.
Prior to the meeting, Concord Support should be sent the following information:
- A test username and password that Concord Support can use to test/reproduce the issue.
- The precise time an error occurred with your test user.
- A full high resolution snapshot of the error that occurred.
- In the case of SAML 2.0, either the Identity Provider URL declared in Infiniti/LibPaths or the Identity Provider file uploaded; whichever is toggled.
Note: We advise schools to only use a remote authentication option if your IT Team ractors are able and willing to maintain the connectivity, configuration, and technical familiarity the relevant remote authentication protocol requires. Some remote authentication modules can require routine re-configuration every year due to encryption and token expiration behaviour intrinsic to the respective protocols.
Conventional Login
Infiniti/LibPaths always allows standard access through conventional login using usernames and passwords recorded in your Infiniti database. If a webinar session to discuss the import and re-configuration of Infiniti/LibPaths users and passwords is required to correctly reflect the current school body without remote authentication, please inform Concord Support.