When setting up your institution's Kanopy website, we must ensure that access is allowed only to your approved users.
For public libraries, we can establish security by ensuring authentication through SIP/SIP2, Patron API, or SirsiDynix REST Web Services. In the rare circumstances where these are authentication methods are not available, we can also utilize EZproxy and barcode pattern authentication. API-based authentication is preferred over these methods for a number of reasons:
- Increased security: With the ability to check your library API in the background, we can more regularly run checks on users to ensure that access to your website is secure.
- Block Rules: API authentication allow us to set restrictions on any card types that you might want to block from accessing Kanopy (i.e. cards with excessive fines, or expired cards). Barcode authentication and EZproxy, by contrast, do not allow us to set these blocks. More information on block rules can be found below.
It is important to note that whatever authentication protocol you use will always work on all links, including individual film links, links that are shared on social media, embedded or otherwise.
If you have updated authentication details for an existing Kanopy platform, please reach out to us at email@example.com and we will send a new form to add these details.
How to Fill out your Authentication Form
When setting up patron authentication for your new platform, or sending us updated authentication for an active account, Kanopy will provide you with an "Authentication Form" for you to complete with your system's details. The form will ask you for all of the information we need to verify your patrons as valid library card holders.
Whenever possible, please work with your library's IT team to complete this form; doing so will ensure that the information we have is as complete and accurate as possible.
Whitelisting our IPs
When Kanopy is communicating with a server to verify your cardholders, we first need to be allowed to exchange calls and receive the patron data we need to confirm that the cards are valid. This means that traffic from Kanopy’s IPs must be allowed through your firewall before we can verify a successful connection.
Before sending in your authentication form, please have your IT contact or ILS vendor whitelist the following IPs addresses:
Please ensure that these IPs are whitelisted not just on your general firewall, but also for the particular authentication service that you use, if need be.
In order to test a working connection, we will need at least one test card for your library, which you can add to the appropriate section of the authentication form.
Even if your authentication does not require PINs, please add the PIN to this part of the form, as PINs may be required for testing. Test cards must also be in good standing (i.e. not expired, blocked, etc.) in order for us to test our connection.
Providing Authentication Details
If we will be validating your patrons using Patron API or SIP2 (our most common and preferred methods), please provide a domain URL host in addition to the IP address. We can connect to your host using an IP address, but URL is preferred because it is not subject to change.
Some aspects of your Patron API or SIP are likely out of your control and will require collaboration with your system's vendor. Letting us know your ILS Provider and Product will help us with troubleshooting and/or formatting our calls to your server.
If you would like to restrict access to a certain patron type, or to patrons who meet certain conditions, we will need the required information:
- A test card (with a PIN) that matches the criteria that you would like to be blocked.
- An indicator of how your library signifies the information to be blocked. For example, if you would like us to block cards with fines exceeding $20, please let us know what field signifies this, i.e. cards where the field “BV” is greater than or equal to “20”.
- If you would like us to block all cards of a different home library, this could be cards where “HOMELIBR” does not equal “MYLIBRARY”, or cards with a “PTYPE” is outside of “1, 2 or 3”. We are also able to limit by prefix, if this is how your ILS provider designates libraries connected to the same server.
Barcode Pattern Authentication
When a server connection is not available, we may be able to verify your patrons by checking that their library card follows the correct pattern for your library. Because this does not involve connecting with an ILS that verifies whether an individual card is valid or not, barcode pattern authentication does not present the same level of security.
So, without the ability to do run checks on individual users' accounts, Kanopy cannot run checks on library cards to ensure the security of access to your website, nor access the information needed to set block rules (i.e. block expired cards or cards with excessive fines).
Barcode Pattern Authentication is only an option if all of your library cards follow the same pattern. For example, all cards might contain the same prefix and number of digits (i.e. 14 digit cards beginning with 54321), or end with the same suffix.
If you have any questions about authentication methods, please contact us at firstname.lastname@example.org.