We will work with you to ensure that only authorized users can access your Kanopy platform.
We can authenticate public library patrons through SIP/SIP2, Patron API, or SirsiDynix REST Web Services. If these authentication methods aren't available, we can use EZproxy or barcode pattern authentication, but these methods have noteworthy limitations.
Database-driven patron authentication via SIP or Patron API is preferred for several reasons:
- Increased security: Authentication using your patron database provides the strongest security for your Kanopy service.
- Block rules: Database-driven authentication allows us to set restrictions on any card attributes you want to use as a basis for blocking access to Kanopy (e.g., cards that are expired or have excessive fines). By contrast, barcode authentication and EZproxy don't allow us to set these blocks because they do not involve communicating with your patron database.
Whatever authentication protocol you use will apply to all Kanopy links. This includes individual film links, links shared on social media, and embedded media links. Patrons will always need to authenticate in order to play films through your Kanopy service.
If you have any questions about authentication methods, please contact us.
Completing the authentication form
When setting up patron authentication for your new Kanopy platform, we'll provide a "Library Tech Details" form for you to complete. The form will ask for all the information needed to verify your patrons as valid library card holders.
If possible, please work with your library's IT team to ensure the information you provide is as complete and accurate as possible.
If you need help with the form, please reach out to your account representative.
Updating the authentication form
If you have updates to your authentication for an existing Kanopy platform, please reach out to us and we'll send you a new authentication form to complete.
Allow-listing our IP addresses
Kanopy needs to be allowed to exchange calls with and receive patron data from your database to verify your card holders. This means traffic from Kanopy's IP addresses must be allowed through your firewall.
Before sending in your authentication form, please have your IT team or authentication system vendor allow-list the following IP addresses:
Please ensure that these IP addresses are allow-listed on both your general firewall and the particular authentication service that you use (SIP or Patron API), if needed.
Providing test cards
To test our connection, we'll need at least one test card for your library. You can add this card to the appropriate section of the "Library Tech Details" form. The card you provide must not be blocked or expired.
Even if your authentication doesn't require a PIN, please add a PIN to this part of the form, as we may need it for testing purposes.
Providing authentication details
If you'll be using SIP or Patron API authentication, please provide a domain URL host in addition to an IP address. We can connect to your host using an IP address, but a URL is preferred because it's less subject to change.
Some aspects of your SIP or Patron API setup might require us to collaborate with your system's vendor. We ask that you provide your authentication provider and product to help us work with them to format or troubleshoot our calls to your server, if needed.
If we're connecting to your patron database, we can restrict Kanopy access for patrons who meet certain conditions. To do so, we'll need the following information:
- A test card (with a PIN) that matches the criteria that you would like to be blocked. If we're adding multiple blocks, please send a test card for each. In other words, block rules test cards should fail to meet your criteria for access to Kanopy.
- A test card (with a PIN) that should not be blocked.
- An indicator of how your library signifies the information to be blocked. Here are a few examples:
- If you'd like us to block cards with fines exceeding $20, please let us know what field signifies this (e.g., cards where “BV” is greater than or equal to “20”).
- If you'd like us to block all cards with a different home library, this might be cards where “HOMELIBR” does not equal “MYLIBRARY,” or cards where “PTYPE” is not “1, 2, or 3." We're also able to limit by prefix, if this is how your ILS provider designates libraries connected to the same server.
Barcode pattern authentication
When a database server connection is not available, we may be able to verify your patrons by checking that their library card matches the correct pattern for your library.
Because barcode pattern authentication doesn't verify individual cards against a database, it's less secure than other authentication methods. We also can't set block rules on cards when using barcode pattern authentication.
We can only enable this for one barcode pattern, so it's only an option if all of your library cards follow the same pattern. For example, all cards might contain the same prefix and number of digits (e.g., 14-digit cards beginning with 54321) or end with the same suffix.