Page Comparison

...

Avalon user survey
- Please fill out ASAP if you haven’t already!
- https://docs.google.com/forms/d/e/1FAIpQLSdezBQ4iHsrEewHFRH7H8slaI1ThRSdbakI6zqrPTyMUwnWLg/viewform
- roadmap items can be left blank or marked “not sure” as needed
Demo of temp access URL customization from UMD for outside researchers (Kee-Young Moon)
- How do other institutions provide access to outside researchers?
- Is there interest in bringing UMD’s customization back into the project?
- Avalon Feature: File Retrieval and Request Fulfillment
  - Masterfile access copies are copied over to streaming
  - Goals:
    - provide better service to staff users and end users
    - Improve workflow of staff users and repository administrators
    - For Staff Users
    - Once binaries uploaded to Avalon, they’re moved to another location
    - Media object ID retrieved from Avalon
    - On media object details page, users will have a /download route that they can use to download the binary
    - Direct URL to the media object URL
    - Download URL
      - Recalculated URL to the access copy to download the access copy
      - Created automatically
      - Avalon administrator role needed to see and access it
        Doesn’t work with non-admin rights
        Set can_download permission
        Does not expire
    - Example - open to public item
      - Users can stream video but not download the file
      - “Request from Special Collections” button
      - Staff view will see a “Downloads” section with download link
      - Staff can download the file diretly
    - Benefit 1: Protect the Access Copy
    - Benefit 2: Download the access copy as needed
    - For End Users
    - Slightly more than half (5,931) in repository open to public
    - 5,392 where access is restricted to campus
    - Token base Access URL
    - Securely randomly generated URL based on token string to stream/download teh access copy
    - Create only after approved by Avalon administrators
    - No Avalon administrator role needed to access and use it
      - Set allow_download permission
      - Set can_stream permission
    - Expires after 14 days via cronjob
    - AccessToken Database Column with ID, media object ID, Token string, allow_streaming? and allow_download?, Revoked?, Description, Created_by, Expired?
      - Token string acts as a virtual group to provide access t an item
    - Custom “Playback Restricted” message in video page
    - “Request from Special collections” button
    - New “+ create a new token” under access control on the item edit page
    - Clicking to create a new token allows admins to set something for streaming only, download only or both.
    - Provides a URL to be given to the patron, admins can edit and revoke
    - Staff users can see all Access Tokens in an Access Tokens listing page
    - Workflow
      - Administrators can create Token Embedded Access URLs
    - Benefit 1: Provide Access to Restricted items
      - End users can view items under access control
    - Benefit 2: Download the access copy
      - End users can download public or restricted items
    - Benefit 3:
      - Admins can provide acces copy instantly to end useres
      - Preservation copies only as needed
    - Custom Features Developed at UMD
      - Add “Request from Special Collection” link
      - File Retrieval and Request Fulfillment
      - Avalon Single-Sign-On with Grouper Integration
      - Filter by Access Control
      - IP Based Access Control Improvements
      - Add Matomo web tracker to Avalon
      - Avalon OAI-PMH Implementation
- For original files, administrator will need to go through AWS to locate the original and get the coy and hand off to staff users
- Design should allow the download of all files associated with the original item
- This was implemented in 2022, took about 2 months of development work
- Matomo web tracker - Kee-Young less familiar, could get someone else from UMD
- How many people are creating these tokens?
  - 10-20 people managing these requests
  - When requests come, they go to ticket and handle it by request
  - Single moderator for requests—less than 5 people who can create tokens for any requests
Authentication and account management flow
- IU integration workflow (Chris Colvard)
  - IU’s auth: we had been using CAS, but then moved to SAML
  - SAML used for most users, for students, faculty and staff, guest accounts too
  - Guest accounts live in a separate database
  - Avalon uses a gem called ‘devise' for the login interface
  - To allow it to be flexible for different back ends, it uses a gem called omniauth
  - We have code in Avalon that customizes omniauth for cases we need
  - Lots of plugins and individual libraries implementing specific auth schemes with omniauth
  - At IU we use omniauth-saml
  - Using Okta documentation page as an example (Adding Okta Authentication )
  - Config initializer file needed - gets login information, looks up users, figures out what to get back from the auth system, sends that back to Avalon
  - Mapping of specific information the auth system sends back happens there
  - For SAML auth at IU, there’s the normal students faculty staff case, and then the guest user case
  - If it’s a guest user, we pull out a slightly different bit of information, look up the user in a different database before passing back to Avalon
  - It’s possible to set up multiple auth backends in Avalon
    - This information shows as “Provider” in Avalon’s Manager Users page
  - Only in certain cases can the user information be editing in Manager Users
  - Manage Users also allows for the ‘become’ function to view the site as a particular user account
  - For SSO, it will automatically create a user account within Avalon
    - You could delete a user in Avalon, and when they log in it would recreate their account
  - When IU switched from CAS to SAML, the authentication system provided by central IT, there was a lot of back and forth working with them to make sure everything was configured correctly
    - Certificates were important; SAML uses certificates much like SSL
    - Tracking requests being made in Avalon helped debug this, because there are many hops when the app needs to go out to one or more separate auth pagees then back to the app
  - Questions? What are you using?
    - Jason: is this username or email based?
      - Yes, generally it’s username or email based
      - Same for the LTI case
      - At NEC it’s managed by the library consortium, managed by proxy server that is username-based
      - They also do barcodes for user account identification
      - They have to be actively involved in making an account, with barcode, and setting item access when there’s an external request
      - What are the advantages of authentication by username primarily?
        At IU we use ADS, which has many points of data
        We do use Active Directory service for connecting through LDAP to get user groups that they belong to
        Users have lots of directory groups that we keep track of for access
        Social logins are possible for guest accounts, but we haven’t implemented this
    - Kee-Young:
      - At UMD they have SSO with Avalon, with SAML
      - “By-invitation” account creation
      - They don’t let anyone not associated with UMD to create an Avalon account
      - Users need a umd.edu email
      - Do other institutions allow users to create public Avalon accounts?
      - How do you control restricted items?
- What challenges are other institutions facing?
- UMD: Currently can’t delete users who have created an account via SAML. Can you delete SAML user accounts?
  - Accounts could be deleted from Manage Users page
  - UMD can delete accounts created from Grouper, but not the SAML users; they can’t be deleted by clicking the “Delete” button
    - This behavior could be a bug; you should be able to delete users from the Manage Users page that have been created from different back ends
    - [ ] Jon will create a ticket to look into this
    - Having an audit tool would be handy: when did the user last log in? Can we expire or remove users in bulk via some other way?
Process to upgrade from 7.3 or 7.4 to 7.7
- This was a question from UMD, but may be of broad interest
- UMD will be updating to 7.7.2, in the middle of the migration process from old Fedora to Fedora 4
- Planning on updating in September; no specific question to ask yet
- Major issue: will all of the major customizations be able to carry over?
  - UMD is currently at 7.4
  - Button on item view page will need to be implemented slightly differently
  - Item view page is redone in 7.7 and so some templating/display things might be different
  - Avalon team can help provide a pattern when doing upgrades and retaining custom features and functionality
- Is it required to step through each release?
  - Answer is: yes and no
  - It would be best to go through the upgrade instructions for each version
    - Includes info on config changes, database migrations etc.
    - For the customizations, you could go through upgrade steps and when you get to Avalon 7.7, then bring in customizations after that
    - There’s generally not too much on the steps for upgrading
    - Avalon team could give advice on specific configurations
Items from other institutions
Future agenda items?
- Demo of LTI integration with course management system - consider this topic for June?
- Potential conversation around upgrade process for institutions that have been using Avalon for awhile (how to handle code customizations, etc.)
- Bulk metadata editing discussion - what are the needs for this in Avalon? Are there tools in the community that could be re-used to help?
- Summary of survey responses

...

Jason Coleman
John M.
Kee-Young Moon
Chris Colvard
Jon Cameron
David P. Steelman

Versions Compared

Old Version 2

New Version 3

Key