Group items tagged

"It is interesting that Summon is built using an open-source product architecture - and ditching the need for a federated search back-end is quite a radical step forward into the cloud. I'm wondering if this is related to their different approach to authentication: both Summon and Metalib seem to be 'authentication agnostic' and could work with a variety of authentication systems: but ExLibris seems to prefer the 'up-front' password challenge as opposed to Serials Solutions who give you it the other way round: metadata first and only authenticate later. Is it harder to integrate authentication, as opposed to searching for content, into an institutional login this way round? I don't yet know as I think it depends what choices we make on identity management. Personally I'm drawn to the 'up-front' approach - even though the simplicity of what Serials Solutions are doing is very attractive, I prefer my password challenges at the beginning - rather than at the end of the process. What about others?"

"Summon Search API uses an authentication scheme based on secret key verification via an HMAC-SHA1 digest. The API performs both authentication and authorization via the same HTTP Authorization header. Creating an Authorization header for an API request requires an access ID, a paired secret key, a client key, and access to certain elements of the HTTP request being authenticated. To create the Authorization header, specific request elements must be assembled into a string that uniquely identifies the request. This ID string is then turned into a digest using the HMAC-SHA1 algorithm as defined in RFC 2104. The digest is then Base64-encoded according to RFC 2045, and assembled into a header along with the access ID. When the API server receives a request, the first thing it does is check the x-summon-date header to make sure it is within a reasonable margin of the server time. If the header time is not within one hour of the server time then authentication fails immediately. If the request timestamp is acceptable, then the server goes on to check that Summon authentication is being used in the Authorization header. If Summon authentication is being used, the server extracts the access ID, client key and encoded authentication digest from the Authorization header, and looks up the paired secret key using the access ID. Finally the server performs the same algorithm described in the previous paragraph to produce a test digest, and compares the test digest against the digest provided in the Authorization header. If the two digests are identical, the request is authenticated."