Unlocking Library Subscriptions

Libraries devote a major portion of their budgets to license access to a wide variety of electronic content. In a few short years, this content has evolved from indexes to full-text journals to full-content reference works to audio content and full-motion video. Getting users to this content has become a high priority.

I have worked for the Maricopa Community Colleges in Arizona for the past 25 years: the first 20 in IT and the last five as a librarian. Nine years ago, I met with a group of librarians to discuss ways to provide remote access to a small assortment of licensed databases. In preparation, I researched available solutions but could not find anything I could recommend. Since this problem seemed like it must be shared by other community colleges, I decided to do something about it. Creating such a solution was outside my job description, so I decided to tackle the problem apart from my duties at Maricopa.

In 1999, I introduced EZproxy 1.0 to address the problem of authenticating remote users and authorizing their access to licensed content. In its first month, ten brave libraries gave it a chance. As of August 2007, 2,250 libraries in 61 countries were using EZproxy as a primary mechanism for authentication.

From the start, the main motivation behind EZproxy was to make web links to library resources work like any other web links: the user would click on the link and gain access. A related goal was to ensure that users would not have to make any changes in their web browser before selecting these links. Owing to authentication and authorization issues, users would have to prove their affiliation at some point. With EZproxy, the user would be required to authenticate only once, gaining single sign-on access across all resources.

In the beginning, EZproxy was only a URL-rewriting proxy server designed to simplify access to IP-authenticated databases. Its role was to keep itself between the remote user and the remote database, retrieving content on behalf of the remote user and rearranging all of the links to point them back to EZproxy instead of toward the database. Through these URL manipulations, the remote user was only required to click on a link, log in, and then gain access to resources.

The first EZproxy prototype operated by changing a URL like http://www.somedb.com/search.hml into a URL like http://ezproxy.yourlib.org/www.somedb.com/search.html. Initial testing proved, however, that rearranging URLs like this posed quite a few problems in handling certain URL forms, cookies, and JavaScript. The answer: ensure that the only section of the URL that was changed is the “authority” section, which is the host and optional port that appear after http:// (or https://) and before the next slash.

At first, EZproxy would change the authority information by assigning a unique port number for each host:port combination and rewriting the URL based on this port, such as changing http://www.somedb.com/ to http://ezproxy.yourlib.org:2050/. Through this remapping, each remote web server was represented by a different port.

Although the method of assigning ports worked well, libraries requested changes to avoid the use of nonstandard ports. This became increasingly important as firewalls proliferated, both to respond to configuration issues at the institution running EZproxy and so that remote users (like students accessing library resources from work) could access web sites on nonstandard ports. Issues with changing information outside the authority section of the URL remained. Then a minor detail in Domain Name System (DNS) came to light.

DNS servers are responsible for changing the (typically) readable names we use for computer systems into the IP addresses needed by browsers to reach those systems. The original DNS specification facilitated the use of wildcard entries, allowing any name that ended in a certain pattern to be mapped to a common server. This paved the way for an alternative to using ports.

The last thing people need is another username, password, or PIN to remember. Regardless of how strong and relevant content licensed by the library may be, the average user is unlikely to access it daily or even weekly. For many, database use is a just-in-time activity; often that time is the night before a paper is due. In recognition of this, EZproxy has been designed to integrate with a wide range of existing systems for authenticating users.

The best method for user authentication varies from institution to institution. Ideally, the method used should mirror or directly involve an existing system. For integrated library systems, EZproxy supports SIP and NCIP along with a series of product-specific methods for authentication. EZproxy also focuses on linking to nonlibrary systems, including LDAP servers such as Windows Active Directory, Central Authentication Service (CAS), learning management systems such as Blackboard, and even newer remote access solutions such as Eduserv’s Athens (see “The Holy Grail of One User ID,” p. 10) and Shibboleth.

Originally, institution–to–database vendor authentication occurred at a relatively coarse level of granularity (e.g., “this is one of our users, please provide access”). Providing more specific information on users enables enhanced user services and also allows vendors to monitor for abuse and lock out individuals instead of locking out an entire institution.

To support customization while protecting user privacy, EZproxy supports the creation of persistent identifiers (strings of letters and digits) to represent users. Each user is assigned a different identifier for each database vendor to minimize the chance of user information being correlated by third parties in ways that the user or institution may not intend.

With persistent identifiers, vendors can provide an enhanced experience such as transparent access to bookshelves and stored searches without requiring the user to track an additional account. Concurrently, a vendor can monitor for an individual abusing access without actually knowing specific information about the individual. If needed, the vendor can provide this information back to the institution so it can address the matter.

EZproxy owes its success to a strong user community. When the State University of New York (SUNY) system adopted EZproxy in 1999, it created an EZproxy email list to facilitate discussion among its members. Although originally designed as an internal list, SUNY kindly extended access to the world, and since then membership has grown to 1000 users.

SUNY–Potsdam hosts the Unofficial EZproxy Self-Support Wiki. In this space, users can share database configurations, interesting or unusual authentication strategies, helpful tips, documentation, and more.

EZproxy has been enhanced to implement alternate methods of authentication beyond Internet Protocol (IP) authentication, many of which are based on encryption technology. The database vendor provides a secret key, and EZproxy uses the key to create cryptographically signed, short-duration URLs that can be verified by the institution to grant access. Persistent identifiers are often incorporated into the URLs, which are used by vendors such as Book24x7, EBL, ebrary, Films Media Group, NetLibrary, and OverDrive.

A tool like EZproxy often acts as a central point for routing users to library resources. As institutions and database vendors make changes, URLs may need to be altered to support these changes. EZproxy now supports applying changes to URLs through regular expressions. This enables changes as simple as transforming a hostname from an old to a new form or as complex as rearranging the URL to reroute users to different URLs based on the location (e.g., local users to one direct URL, remote users to an alternate entry point with direct support for an authentication method such as Shibboleth).

To paraphrase two of S.R. Ranganathan’s laws, “Databases are for use” and “Save the time of the database user.” No matter how much we spend or how wonderful the content, if users cannot access the content when they want it and where they want it, the content is wasted.

User success starts with outreach and information literacy instruction and incorporates myriad pieces to ensure that users are able to get to the most appropriate source to meet their specific needs. Tools like EZproxy guarantee that database users can reach the databases that will meet their needs whenever and wherever they are.