Skip to main content
OCLC Support

Enable Folio single sign-on (NTLM)

Learn how to enable Folio single sign-on for OLIB.

Please note that Folio NTLM Authentication will only work if you're using IIS as your web server, it will not work with Apache. To use a Single-Sign on with a Windows domain service where Folio is deployed in a different web server you can use the local credential capture option to set a cookie. More information on this is given below.

Additionally, this is not available for our Hosted Customers as it requires the Folio server to be attached to your Windows Domain. Such customers can use the local credential capture feature, but must supply OCLC with a suitable security certificate and DNS entries in order to ensure that their Folio is presented under their own domain, not OCLC's.

1. Populate identifier

You must ensure that you've populated one of the identifier fields on the user records in OLIB with the Domain User Names that will be returned by IIS in the REMOTE_USER variable. If you do not do this then your users won't be able to login after you carry out steps 2) and 3).

The identifier fields that can be used are:

  • Barcode
  • Seccode
  • Alt. Barcode
  • Identification

If none of these identifier fields on your user records contain the matching value for REMOTE_USER (i.e. Domain Username) then you will need to firstly populate one of these fields with the Domain Usernames before carrying out steps 2) & 3).

One way of doing this is via a user import, by following the User Import documentation.

For Example, if you intend to populate the Identification field with the Domain Usernames, and are matching on the Barcode field, then the user import file may look like this:

     MATCH BARCODE
     BAR 6438
     UIDENT MYDOMAIN\USER6438
     *
     BAR 9349
     UIDENT MYDOMAIN\USER6438
     *

 Note: depending on your setup, IIS may return the REMOTE_USER variable as a combination of DOMAIN\USER so you must also bear this in mind. Additionally, the identifier field you populate must match exactly onto the Domain Username.

2. Enable Integrated Windows Authentication on IIS

You need to enable "Integrated Windows Authentication" for the Folio cgi-bin virtual directory. The instructions for doing this differ depending on the version of IIS you're using.

For Windows 2003 (IIS 6) please refer to the following page:
https://www.microsoft.com/en-us/download/details.aspx?id=5135

For Windows 2008 (IIS 7.5), please refer to the following page:
http://technet.microsoft.com/en-gb/l...=ws.10%29.aspx

The process for more recent IIS versions will vary.

Once you've done this, any page requested in this secured directory will now perform NTLM authentication and will pass the username in the server environment variable REMOTE_USER onto Folio.

For users who are already authenticated on the domain and whose browsers pass through this authentication, it won't prompt for a domain username & password, and the user will be automatically logged in with the credentials they used to logon to their machine. Where the browser does not do this, it will prompt the users for their domain username/password. This prompt is browser specific and cannot be configured.

3. Reconfigure Folio to use NTLM or Local Credential Capture

You must use OLIB Web to reconfigure Folio to use NTLM as the authentication method:

This can be done by logging in with System Admin privileges, then going to System Administration > OPAC Defaults.

In the SSO Parameters on this screen configure the following settings:

Field NTLM Authentication Local Credential Capture
Credential Capture Type NTLM Local
Redirect URL (Login) <blank> Your local page which carries out the authentication and sets the cookie
Authentication Type OLIB OLIB
Authentication Token Name REMOTE_USER <the name of the cookie set by the local page which provides the login identifier>
Match Field in OLIB Select that identifier field that contains the value of REMOTE_USER (i.e. Domain Username) Select that identifier field that contains the value of the above cookie
LDAP Server <blank> <blank>
Redirect URL (Logout) <blank> Your local page which clears the value of the cookie

Once you've done this you should test it works by logging into a PC as a valid Domain User, then navigate to Folio and attempt to View your account details to confirm you're logged in. If this does not work then perform a User search in OLIB Web against the identifier field you selected as the "Match Field in OLIB" to make sure your domain username has been registered against your OLIB user record.

Again, please note that depending on your setup IIS may return the REMOTE_USER variable as a combination of DOMAIN\USER. So you may need to experiment by editing your user record in OLIB (e.g. adding or removing the domain prefix). Following this, check again whether you're logged into Folio by closing the browser window, re-opening it and navigating to the Folio Account Details screen.