Authentication with Shibboleth or using EZProxy

Recently we have a journal wanting to have Shibboleth authentication for a journal , while other existing journals use IP ranges+logins.

My understanding is that is it possible to authenticate a journal using Shibboleth or using EZproxy without installing a new OJS instance.

If using Shibboleth, I can have the OJS Shibboleth plug-in enabled for the journal.
If using EZproxy, I can connect that journal via EZproxy without passing through OJS authentication.

are my assumptions correct?

Any suggestions /comments are welcome.

Thanks much

Shibboleth authentication for OJS is actually configured in

This assumes that you have already enabled and configured mod_shib in Apache, or enabled the Shibboleth filter in IIS.

EZProxy wouldn’t really give you a good authentication model, but it could be used as an authorization model, if needed. The difference is authentication would map to an OJS user for reader/reviewer/editorial interaction, whereas authorization would map to an OJS subscription if your articles are paywalled.

Hi all,

Note that the approach might be quite different depending on what you want to accomplish. There are two problems you might want to solve:

  • Using institutional accounts e.g. for authors, editors, etc. This would require the built-in Shibboleth authentication system that @ctgraham has suggested.
  • Using an external resource for subscription checking, e.g. Shibboleth or EZProxy.

Can you clarify which you’re interested in?

Alec Smecher
Public Knowledge Project Team

Thanks much for your suggestion.

If the configuration is with, this will have a global impact to other journals as well. So using this method, I have to install a new OJS instance?

Hi, Alec,

My goal is NOT to install a new OJS instance while providing a shibboleth authentication using my institution login (we called NETID)

I believe that either (1) using institutional accounts with its built-in shibboleth authentication system or (2) using an external resource can do this. If my assumption is correct, I will choose one of the two solutions.

You should be able to do this in a single install with the built-in Implicit Auth. As of 2.4.8, there is a new configuration value for the implicit_auth setting, “Optional” which allows you to use Shibboleth authentication and traditional local authentication in tandem.

I am aiming toward implementing this locally here at Pitt. We’ve done some initial testing to confirm viability. I anticipate needing to change the usernames of our Shib users to scoped usernames, which will mean needing to relax the current username requirements which prohibit the @ sign. You may or may not want to consider that a requirement.