SAML-Based Authentication for Staff
Sierra supports SAML-based authentication to allow users to sign in to staff applications using an external SAML identity provider (IdP). You can use the same IdP used for SAML-based authentication for patrons or configure a different IdP for staff users. If your IdP supports it, you can also implement Multi-Factor Authentication (MFA) as part of the SAML authentication workflow.
SAML-based authentication for staff is available in the following applications:
Sierra 6.0 and later
- Sierra Web
- Administration Application
Sierra 6.1 and later
- Sierra Desktop Application (SDA)
- Web Management Reports
When you enable SAML-based authentication for staff, it appears in all staff applications available for that release. For example, if you enable it in Sierra 6.1, it works in all four staff applications listed above. You cannot enable it for just one staff application.
For more information on SAML-based authentication for staff, see the following:
How SAML-Based Authentication for Staff Works
This section shows SAML-based authentication for staff in Sierra Web, but the process is the same in all staff applications except for the Sierra Desktop Application. See Logging In to the Sierra Desktop for more information on using SAML with the Sierra Desktop Application.
Sierra acts as a standard SAML Service Provider (SP) like other services found in organizations (for example, a campus' email system). As an SP, Sierra redirects staff to the external IdP run by your organization to enter their credentials and accepts those users on their return as authenticated if the external IdP recognizes their credentials. Sierra uses the SSO ID element of the user's login as a match point. During the authentication process, Sierra compares the attribute returned by the IdP against this element to allow access.
When SAML-based authentication for staff is enabled, staff applications offer a login page with links to authenticate using an external IdP service or Sierra's native authentication. For example:
When a staff user selects the external IdP link ("Login with SAML" in the screenshot above), Sierra redirects them to the external IdP's login page. When a staff user selects the native authentication link ("Staff Library Login" in the screenshot above), Sierra expands the display to show the login prompts to authenticate against the user account. For example: