2024-05-13 Avalon User Roundtable Meeting
- Emily Lynema
- Jon Cameron
Meeting Time
Monday, May 13 at 1 PM Eastern
Zoom Link
https://iu.zoom.us/j/84620830059?pwd=bWo3R081M3BtaytFMjZnS0FzQkd2dz09
Agenda/Notes
Avalon user survey
Please fill out ASAP if you haven’t already!
https://docs.google.com/forms/d/e/1FAIpQLSdezBQ4iHsrEewHFRH7H8slaI1ThRSdbakI6zqrPTyMUwnWLg/viewform
roadmap items can be left blank or marked “not sure” as needed
Demo of temp access URL customization from UMD for outside researchers (Kee-Young Moon)
How do other institutions provide access to outside researchers?
Is there interest in bringing UMD’s customization back into the project?
Avalon Feature: File Retrieval and Request Fulfillment
Masterfile access copies are copied over to streaming
Goals:
provide better service to staff users and end users
Improve workflow of staff users and repository administrators
For Staff Users
Once binaries uploaded to Avalon, they’re moved to another location
Media object ID retrieved from Avalon
On media object details page, users will have a /download route that they can use to download the binary
Direct URL to the media object URL
Download URL
Recalculated URL to the access copy to download the access copy
Created automatically
Avalon administrator role needed to see and access it
Doesn’t work with non-admin rights
Set can_download permission
Does not expire
Example - open to public item
Users can stream video but not download the file
“Request from Special Collections” button
Staff view will see a “Downloads” section with download link
Staff can download the file diretly
Benefit 1: Protect the Access Copy
Benefit 2: Download the access copy as needed
For End Users
Slightly more than half (5,931) in repository open to public
5,392 where access is restricted to campus
Token base Access URL
Securely randomly generated URL based on token string to stream/download teh access copy
Create only after approved by Avalon administrators
No Avalon administrator role needed to access and use it
Set allow_download permission
Set can_stream permission
Expires after 14 days via cronjob
AccessToken Database Column with ID, media object ID, Token string, allow_streaming? and allow_download?, Revoked?, Description, Created_by, Expired?
Token string acts as a virtual group to provide access t an item
Custom “Playback Restricted” message in video page
“Request from Special collections” button
New “+ create a new token” under access control on the item edit page
Clicking to create a new token allows admins to set something for streaming only, download only or both.
Provides a URL to be given to the patron, admins can edit and revoke
Staff users can see all Access Tokens in an Access Tokens listing page
Workflow
Administrators can create Token Embedded Access URLs
Benefit 1: Provide Access to Restricted items
End users can view items under access control
Benefit 2: Download the access copy
End users can download public or restricted items
Benefit 3:
Admins can provide acces copy instantly to end useres
Preservation copies only as needed
Custom Features Developed at UMD
Add “Request from Special Collection” link
File Retrieval and Request Fulfillment
Avalon Single-Sign-On with Grouper Integration
Filter by Access Control
IP Based Access Control Improvements
Add Matomo web tracker to Avalon
Avalon OAI-PMH Implementation
For original files, administrator will need to go through AWS to locate the original and get the coy and hand off to staff users
Design should allow the download of all files associated with the original item
This was implemented in 2022, took about 2 months of development work
Matomo web tracker - Kee-Young less familiar, could get someone else from UMD
How many people are creating these tokens?
10-20 people managing these requests
When requests come, they go to ticket and handle it by request
Single moderator for requests—less than 5 people who can create tokens for any requests
Authentication and account management flow
IU integration workflow (Chris Colvard)
IU’s auth: we had been using CAS, but then moved to SAML
SAML used for most users, for students, faculty and staff, guest accounts too
Guest accounts live in a separate database
Avalon uses a gem called ‘devise' for the login interface
To allow it to be flexible for different back ends, it uses a gem called omniauth
We have code in Avalon that customizes omniauth for cases we need
Lots of plugins and individual libraries implementing specific auth schemes with omniauth
At IU we use omniauth-saml
Using Okta documentation page as an example (Adding Okta Authentication )
Config initializer file needed - gets login information, looks up users, figures out what to get back from the auth system, sends that back to Avalon
Mapping of specific information the auth system sends back happens there
For SAML auth at IU, there’s the normal students faculty staff case, and then the guest user case
If it’s a guest user, we pull out a slightly different bit of information, look up the user in a different database before passing back to Avalon
It’s possible to set up multiple auth backends in Avalon
This information shows as “Provider” in Avalon’s Manager Users page
Only in certain cases can the user information be editing in Manager Users
Manage Users also allows for the ‘become’ function to view the site as a particular user account
For SSO, it will automatically create a user account within Avalon
You could delete a user in Avalon, and when they log in it would recreate their account
When IU switched from CAS to SAML, the authentication system provided by central IT, there was a lot of back and forth working with them to make sure everything was configured correctly
Certificates were important; SAML uses certificates much like SSL
Tracking requests being made in Avalon helped debug this, because there are many hops when the app needs to go out to one or more separate auth pagees then back to the app
Questions? What are you using?
Jason: is this username or email based?
Yes, generally it’s username or email based
Same for the LTI case
At NEC it’s managed by the library consortium, managed by proxy server that is username-based
They also do barcodes for user account identification
They have to be actively involved in making an account, with barcode, and setting item access when there’s an external request
What are the advantages of authentication by username primarily?
At IU we use ADS, which has many points of data
We do use Active Directory service for connecting through LDAP to get user groups that they belong to
Users have lots of directory groups that we keep track of for access
Social logins are possible for guest accounts, but we haven’t implemented this
Kee-Young:
At UMD they have SSO with Avalon, with SAML
“By-invitation” account creation
They don’t let anyone not associated with UMD to create an Avalon account
Users need a umd.edu email
Do other institutions allow users to create public Avalon accounts?
How do you control restricted items?
What challenges are other institutions facing?
UMD: Currently can’t delete users who have created an account via SAML. Can you delete SAML user accounts?
Accounts could be deleted from Manage Users page
UMD can delete accounts created from Grouper, but not the SAML users; they can’t be deleted by clicking the “Delete” button
This behavior could be a bug; you should be able to delete users from the Manage Users page that have been created from different back ends
[ ] Jon will create a ticket to look into this
Having an audit tool would be handy: when did the user last log in? Can we expire or remove users in bulk via some other way?
Process to upgrade from 7.3 or 7.4 to 7.7
This was a question from UMD, but may be of broad interest
UMD will be updating to 7.7.2, in the middle of the migration process from old Fedora to Fedora 4
Planning on updating in September; no specific question to ask yet
Major issue: will all of the major customizations be able to carry over?
UMD is currently at 7.4
Button on item view page will need to be implemented slightly differently
Item view page is redone in 7.7 and so some templating/display things might be different
Avalon team can help provide a pattern when doing upgrades and retaining custom features and functionality
Is it required to step through each release?
Answer is: yes and no
It would be best to go through the upgrade instructions for each version
Includes info on config changes, database migrations etc.
For the customizations, you could go through upgrade steps and when you get to Avalon 7.7, then bring in customizations after that
There’s generally not too much on the steps for upgrading
Avalon team could give advice on specific configurations
Items from other institutions
Future agenda items?
Any other questions about upgrade process (June)
Demo of LTI integration with course management system (June)
Potential conversation around upgrade process for institutions that have been using Avalon for awhile (how to handle code customizations, etc.)
Bulk metadata editing discussion - what are the needs for this in Avalon? Are there tools in the community that could be re-used to help?
Summary of survey responses
Attendees
Jason Coleman
John M.
Kee-Young Moon
Chris Colvard
Jon Cameron
David P. Steelman