SAML-Based Authentication for Staff

Sierra supports SAML-based authentication to allow users to sign in to staff applications using an external SAML identity provider (IdP). You can use the same IdP used for SAML-based authentication for patrons or configure a different IdP for staff users. If your IdP supports it, you can also implement Multi-Factor Authentication (MFA) as part of the SAML authentication workflow.

SAML-based authentication for staff is available in the following applications:

Sierra 6.0 and later

• Sierra Web
• Administration Application

Sierra 6.1 and later

• Sierra Desktop Application (SDA)
• Web Management Reports

For more information on SAML-based authentication for staff, see the following:

• How SAML-Based Authentication for Staff Works
• Configuring SAML Authentication

How SAML-Based Authentication for Staff Works

Sierra acts as a standard SAML Service Provider (SP) like other services found in organizations (for example, a campus' email system). As an SP, Sierra redirects staff to the external IdP run by your organization to enter their credentials and accepts those users on their return as authenticated if the external IdP recognizes their credentials. Sierra uses the SSO ID element of the user's login as a match point. During the authentication process, Sierra compares the attribute returned by the IdP against this element to allow access.

When SAML-based authentication for staff is enabled, staff applications offer a login page with links to authenticate using an external IdP service or Sierra's native authentication. For example:

When a staff user selects the external IdP link ("Login with SAML" in the screenshot above), Sierra redirects them to the external IdP's login page. When a staff user selects the native authentication link ("Staff Library Login" in the screenshot above), Sierra expands the display to show the login prompts to authenticate against the user account. For example: