Library site CAS SSO decommisioning

[kenoir]

Things we need to understand:

• What will the "login" button on wellcomelibrary.org point at?
• What does the user registration flow look like without CAS SSO.
• Will DLCS/DDS authenticated items be affected?
• Will existing services be affected during any change to remove CAS SSO and for how long (determine with III).
• Will UV 'bookmark' functionality need to be deprecated or shut off in UV config?
• Will social login for digitised content be affected?
• If so, can we provide registered users with a list of their bookmarked items?
• What UI changes need to be made to: - https://account.wellcome.ac.uk/manage/ - https://account.wellcome.ac.uk/manage/register?service=https://wellcomelibrary.org/ - https://account.wellcome.ac.uk/manage/link - https://account.wellcome.ac.uk/manage/view
  • https://catalogue.wellcomelibrary.org/patroninfo/{id}/ (if bookmarks removed)
  • https://wellcomelibrary.org/account/
• Which of the above will no longer be required?

Things we need to do:

• Ensure the search on wellcomelibrary.org takes you to https://search.wellcomelibrary.org/
• Ensure domain name changes & server updates happen together
• Ensure restricted/closed content in UV can still be accessed with library card
• Ensure sign-up link on (https://wellcomelibrary.org/using-the-library/joining-the-library/) doesn't take you to account.wc.

Things we need to communicate:

• All registered users who have saved digitised items in UV, to inform that service will no longer be available, and to offer opportunity to get a list of their saved items. (If necessary at this stage)
• On website with alert, to inform people who have saved digitised items in UV. Create new content page to explain change and privacy benefits.
• Library staff: explain reason for change; highlight any new UI or processes

[louisesimon]

All,

I've scheduled the DNS change with Platform Tech for fortnight beginning 4th May (sprint 12). Exact date to be confirmed.

[louisesimon]

So Platform Tech have changed their sprint dates. We now plan to go live w/c 18 May.

I'm compiling a task list of remaining work before the go live day and actions to be completed on the go live day. Attached is my draft so far.
Task list and schedule.docx

A couple of qyestions please: @tomcrane Once you've made the changes to the UAT site, I presume you push these out to live on the day? Can you let me know your availability for w/c 18 May (I'm thinking Tues 19th if possible).

@jennpb I'm attaching the content changes we identified. Would you make these changes in advance and publish them on the go-live date? Website changes.docx

[jennpb]

@louisesimon I still don't have remote access to CM7, Mark Gee was supposed to be sorting me out with something. Given this is unlikely to happen, I'll have to coordinate with someone who can still access CM7 on the go-live date.

[jennpb]

Confirming my understanding of the process:

• Email will go out to users; ASAP afterward Tom will disable the Bookmarks function in the UV so we don't acquire additional users
• Some changes will be made to the pages that are hard-coded, in advance of moving over to the Sierra account - Tom and Jenn liaising on this
• On wellcomelibrary.org web pages that are content managed in CM7, changes will need to be made on the day (w/c 18 May) as there is no staging area for live, published content. Jenn will need to screenshare with someone who has CM7 access (if she doesn't) to guide them through the editing process.

[louisesimon]

• On wellcomelibrary.org web pages that are content managed in CM7, changes will need to be made on the day (w/c 18 May) as there is no staging area for live, published content. Jenn will need to screenshare with someone who has CM7 access (if she doesn't) to guide them through the editing process.

Thanks, Jenn. I'll update the task list. I understand your access to CM7 is being looked at right now.

[tomcrane]

Hi @louisesimon

Regarding "Can you let me know your availability for w/c 18 May (I'm thinking Tues 19th if possible)."

The changes to the library site can happen before the access control changes to Sierra. As we are anonymising the wl.org site, and removing one of its external dependencies rather than introducing anything new, I would even prefer that this is done sooner - it can be done as soon as everyone is happy with the behaviour of the site on UAT, rather than have it wait for actions by anyone else.

The fewer time-critical dependencies the better!

I am available all that week, should anything come up.

Tom

[louisesimon]

Hi Tom

So if you made the changes before the DNS changes etc, what would happen when you clicked on Login (or ‘My Library Account’ as it would be called then)? Whilst https://catalogue.wellcomelibrary.org is still pointing to the SSO server, presume you’d still go to SSO?

If you get a chance, could you also respond to my questions about Bookmarks in my email response from yesterday.

Thanks Louise

[louisesimon]

So if, as you propose, [the changes to the UAT site went live] before the DNS changes etc, what would happen when you clicked on Login (or ‘My Library Account’ as it would be called then)? Whilst https://catalogue.wellcomelibrary.org is still pointing to the SSO server, presume you’d still go to SSO?

HI @tomcrane Please could you respond to the above.

Thanks Louise

[tomcrane]

This is odd, I wrote a chunk of text about this was sure it was a comment here, on this issue. I'll see if I can work out where it went. Does anyone have it in an email notification?

Anyway, the gist of it was that you'll go to whatever page the target of the link uses for login. If we make it link to https://catalogue.wellcomelibrary.org/patroninfo/ then Sierra will (if you're not logged in) bounce you to SSO for now, and to its own login page after the changeover. The library end of it doesn't need to know when that happens.

[louisesimon]

Hi @tomcrane That's strange. No, I didn't receive an email notification on your missing comment.

I agree that it would be good to make the UAT changes live before the go live date (19th May), but this will remove the bookmark viewing function which we are giving users 3 weeks' notice on, so it would need to be as near as possible to the 19th May. Also can you confirm that, if you make live the UAT changes before the SSO switch day, the only difference the library user will see is that the Login button is now labelled 'My Library Account'? Also, my assumption that, Before the go live date, it will continue to direct to CAS SSO.

If it is live before the changes to the Webpac pages go live, the account page will still mention linking accounts (with social media accounts) which will no longer be possible. Depending on how near to go live we are, I may just leave the links in there, as the info will be removed as part of the webpac changes for go-live (Linking accounts is so little used).

All, here's a summary of where we're at regarding tasks that impact on Tom 1) Go live (ie switch from CAS SSO to Sierra login) will be week commencing 18 May. Hopefully Tues 19 May TBC.

2) Simon D (on behalf of Comms team) will send out the email to Bookmark users. He says today (24th) or Monday 27th. @tomcrane I'll confirm with you as soon as I know so that you can disable the function to make new bookmarks (the day after the email goes out as discussed).

3) @tomcrane - I'll schedule with you, making live the UAT change (ie anonymising the site and having the login relabelled to My Library Account). The nearer to the go-live day the better.

4) @tomcrane - the other tasks I had noted for you were: i) Remove access to existing bookmarks. This would need to be done at the end of the 3 week notice period (c18 May). ii) Change content of Bookmarks page (https://wellcomelibrary.org/account/)) to explain content and function no longer available etc (Editorial input required). To be done same time as i) above. It currently displays some place-holding text on UAT: https://library-uat.wellcomelibrary.org/account. @jennpb - presume the wording of this page is one for Danny B and the comms team?

4a) @tomcrane Please can you let me know when you plan to schedule the above changes to the UAT site so that the library team can test and accept. We can agree when it goes live (as discussed before the SSO removal go live day).

5) Comms team have agreed on the 3 month retention period for holding Bookmark URLs. At the end of that period the data will be deleted.

6) At a meeting wayback, you said that users with access to restricted content in the UV would still have access as you would keeping the SSO element for that purpose. Can you confirm that is still the case?

Let me know any questions about this.

Thanks Louise

[jennpb]

@louisesimon No, I can do the interface copy. Already been discussing it with Tom, I just have a few more detailed questions for him about the account page.

[louisesimon]

@jennpb Thanks. I'll update my task list

[louisesimon]

@tomcrane Simon has confirmed that he will be sending out the bookmark email tomorrow (28th). Will you be able to turn of the function to create new bookmarks the day after? Thanks

[tomcrane]

Hi @louisesimon - yes, I can disable that feature in the UV.

[louisesimon]

Hi @tomcrane With regard to my message above - https://github.com/wellcomecollection/platform/issues/4016#issuecomment-618861352 - please can you respond my question in para 2 (I've made it bold). Also, please can you respond to 4a and 6.

Thanks Louise

[tomcrane]

can you confirm that, if you make live the UAT changes before the SSO switch day, the only difference the library user will see is that the Login button is now labelled 'My Library Account'?

This button will just be a fixed link to the Sierra account page (second pic in https://github.com/wellcomecollection/platform/issues/4016#issuecomment-552664200)

They will no longer be able to see their bookmarks after this change too, of course - the wl.org site will now be anonymous. So I can defer making this change to allow for the three week window.

At a meeting wayback, you said that users with access to restricted content in the UV would still have access as you would keeping the SSO element for that purpose. Can you confirm that is still the case?

That was my suggestion, yes. However, after discussing this with @danielgrant recently, I am going to do a little spike to see whether I can just have the DDS authenticate against Sierra directly using Sierra APIs (pintest) for this one scenario - i.e., borrow the login screen front end code from SSO and have it presented by a page served by the DDS. Although this means a bit more development in the DDS, it means SSO is then completely retired, so no need to worry about account linking pages or trying to keep a complex app running for this one important but not-often-used scenario. The only scenario in which a user would be required to authenticate is for viewing clinical or restricted content, for which they need a full Sierra account (not a social login). This would mean SSO has no client services, and could be switched off. It also makes future transition of the DDS easier. Fewer spinning plates.

For this and 4a - I don't have a definite date to do this. I am going to have to fit it in somewhere over the next few days. I will get back to you soon on this.

[louisesimon]

THanks, @tomcrane . All understood. So let's defer making the UAT site live to allow for the bookmarks notice period.

I'm afraid that I'm going to have to delay turning off the create bookmark feature as Simon D still has some questions about registration processes and how they will operate in the post-SSO world (had meeting with him today). They are also registering users remotely at present (hadn't been communicated to me) so I need to formulate the process post-SSO.

I hope that this won't delay our existing go live date of 19th Nov as Simon says he is okay with having a shorter bookmark notice period.

The bottom line is that I will let you know @tomcrane when you need to turn off the create bookmark function.

Please continue with the UAT work with the assumption that we will go live on 19th May.

Thanks Louise

[louisesimon]

Hi @tomcrane

Just having a mental blip on an the account buttons post SSO. Can you confirm that the Logout button shown in Jenn's mockup atLhttps://github.com/wellcomecollection/platform/issues/4016#issuecomment-582867583 will indeed display?

If the site is anonymised and the 'My Library account' is effectively just a link to libsys login, will it still be able to generate the Logout button on the library pages?

Thanks Louise

[louisesimon]

Hi @kenoir

Do you know yet how users will authenticate on the Wellcome Collection website - requesting material from closed stack etc? Presume it would have to be via Sierra?

Checking in case staff ask at the briefings I have lined up.

Thanks LOuise

[tomcrane]

@louisesimon I should have been clearer there. It got lost in https://github.com/wellcomecollection/platform/issues/4016#issuecomment-598847734.

The logout button will not display, because the wl.org site will be anonymous. It doesn't know who you are or whether you are logged in over in Sierra.

Whatever appears in the top right will be the same all the time. Currently in the anonymous version this is the two links:

[ JOIN ] [ MY LIBRARY ACCOUNT ]

... which go to:

https://wellcomelibrary.org/using-the-library/joining-the-library/ and https://catalogue.wellcomelibrary.org/patroninfo/

That doesn't mean the user will always see the same thing when they follow the second link, though. This goes to the patron info page in Sierra. If they are already logged in over there, they'll get their user info page. If not, Sierra will put its own login screen in their way.

Obviously these links can be whatever we want them to be, but they can't adapt to the user's logged-in-ness over in Sierra.

[louisesimon]

Thanks, Tom. Understood. That's what I thought when I came back to look at this a second time.

[louisesimon]

Hi @tomcrane Comms sent out the message about Bookmarks yesterday so please can you turn off the function to create new bookmarks.

[louisesimon]

All

The DNS change (D&T) and configuration changes (III) will take place on morning of Tuesday 19th May.

@tomcrane @jennpb Please can we coordinate the UAT site going live and the text changes to the site. I know that you have been working together on the latter.

Thanks Louise

[louisesimon]

@tomcrane @jennpb - just nudging you about above comment re: coordinating UAT site and text changes going live. Please can we agree a plan. Thanks

[tomcrane]

Creation of new bookmarks now disabled in UV.

[jennpb]

Here's the updated plan:

On 19 May:

• @tomcrane will make template and text changes to wellcomelibrary.org/account. I've provided the text to him already.
• @tomcrane will make changes to the Restricted Content login page. My suggestions are in the Google Doc
• I will make these website changes via CM7:

Page	Where to make change	Change required	Details
Joining the library https://wellcomelibrary.org/using-the-library/joining-the-library/	CM7 - Add new link to Link Roster; Edit link on page; Delete account.wellcome.ac.uk link from Link Roster	Pre-registration link	Change from: https://account.wellcome.ac.uk/manage/register?service=https%3a%2f%2fwellcomelibrary.org%2f to https://catalogue.wellcomelibrary.org/selfreg
Computers, printing and wifi https://wellcomelibrary.org/using-the-library/services-and-facilities/computers-printing-and-wifi/	CM7 - Add new link to Link Roster (if needed); Edit link on page	Mobile print; Library account link	Change Library Account link to https://catalogue.wellcomelibrary.org/patroninfo/

[tomcrane]

And for @louisesimon -

This is not absolutely time critical but can happen soon after the changes above.

• I will add a rule to the wl.org estate that redirects any sub path of wellcomelibrary.org/account back up to wellcomelibrary.org/account. This handles any direct links to bookmarks that people might have made (rather than them seeing a 404 page).
• ???* will change the routing for account.wellcome.ac.uk so that all requests for that hostname (whatever the path) will be redirected to wellcomelibrary.org/account. This explains what just happened if there are bookmarks or any other links hanging about that go to the SSO site.

The latter redirect shouldn't happen within the account.wellcome.ac.uk estate because we want to switch all that off. It should happen at the load balancer, I suppose.

*sorry for the ???, don't know who will do this bit.

[louisesimon]

• ???* will change the routing for account.wellcome.ac.uk so that all requests for that hostname (whatever the path) will be redirected to wellcomelibrary.org/account. This explains what just happened if there are bookmarks or any other links hanging about that go to the SSO site.

I'll open a ticket with Platform Tech to do this redirect after then switch

[louisesimon]

Thanks @jennpb

• I will make these website changes via CM7

I identified one additional change which I omitted from my list to you, Jenn. Please can you add the following to you list of CM7 changes:

Request and delivery https://wellcomelibrary.org/using-the-library/how-to/request-and-delivery/	CM7	‘Register online’ link	Change from:   https://account.wellcome.ac.uk/manage/register?service=https%3a%2f%2fwellcomelibrary.org%2f to https://catalogue.wellcomelibrary.org/selfreg

Thanks Louise

[louisesimon]

@tomcrane:

1. When will you push the UAT site to live? On the 19th? As regards infrastructure tasks on the 19th May: Platform Tech will be making the DNS changes early (confirming 8am) and then III have about an hour's worth of config changes to make.

2. In the Google Doc - Re: the Restricted content login page (https://library-uat.wellcomelibrary.org/iiif/dlcslogin). Are you happy for me to edit the page to add the URL links (currently showing as 'tbc')?

[tomcrane]

@louisesimon -

1. Yes, I can do it on the 19th - I have marked it in my calendar and am flexible about when I do it, so when you're ready just send me a message.
2. Yes, please do! I have a couple of changes to make to that at some point before next week, for Jenn's edits, but I won't do that today. There are the three "tbc" in a group, and there's also one in the tips on line 119.

[louisesimon]

@tomcrane: with regard to the linked accounts page - https://account.wellcome.ac.uk/manage/link - if the host name redirects to wellcomelibrary.org/account as described in comment above, will the linked page also redirect to /account? If so, it would be good to have some text on /account informing users that linking account feature is no longer available.

[jennpb]

I don't think that's necessary to maintain a good user experience during this transition. Linking accounts is a one-time only action, meaning that it's not a page that people would have bookmarked or would actively seek to come back to. I don't believe it's good practice to inform users of services that aren't available if it was for the purpose of supporting a decommissioned service. It just adds more complexity to the messaging.

[louisesimon]

Hi Jenn. Understood. I'm trying to ensure that users who've linked their accounts know that they can only log in with their library account in future. Take your point that the page is for the process of linking accounts. Alternatively, I could just add some explanatory text in the My Library Account help page.

For users who sign in with social media account to view bookmarks, then we're covered by the text on the /account page.

[louisesimon]

@tomcrane Sorry for all the questions this morning! One more - I can see that you've made the change to the Login button on UAT . As agreed, it is labelled My Library Account and directs to https://catalogue.wellcomelibrary.org/patroninfo/.

I know that there will no longer be a Logout button on any Library pages, but please can you confirm for my benefit that https://catalogue.wellcomelibrary.org/patroninfo is a Sierra page so they will see the Logout button here.

[louisesimon]

1. Yes, I can do it on the 19th - I have marked it in my calendar and am flexible about when I do it, so when you're ready just send me a message.

Thanks, @tomcrane . How long does it take for UAT to go live once you press the button? Instant?

[tomcrane]

Not quite instant.

I'll be deploying both the DDS and the wellcomelibrary.org site, x 2 because each has two instances. This takes the TeamCity build server a few minutes to grind through.

So minutes, but not hours.

Although there's nothing really preventing us pushing the anonymised site first. It doesn't depend on Sierra changes. It might even be preferable to to do it that way. On Monday evening, for example.

[louisesimon]

Hi @tomcrane . Yes, I think it would be a good idea to push out the anonymised site on Monday evening. Until the DNS change the next morning, users would still be directed to the SSO login so they'd still be able to login. Roughly what time would you plan to do it?

[tomcrane]

I've just noticed that Monday is a bank holiday, but that's OK - just need to make sure I remember to do it. Maybe late afternoon rather than evening.

[tomcrane]

@louisesimon sorry, not a bank holiday! I'm actually off on my own holiday. I will do it early Tuesday then. There's still no timing dependency on Innovative's work.

[louisesimon]

Hi @tomcrane . No problem! Enjoy your day off. Yes, Tuesday morning for deploying this is fine. Please let me know when done.

The change is going before CAB this morning. I'll confirm outcome later.

[louisesimon]

All -the change has been approved so all systems go for Tuesday 19th!

I'll shortly add here the latest (final?) version of the task list for go live.

[louisesimon]

@tomcrane @jennpb, all - here is the list of task to make the changes live tomorrow. Please let me know if any questions GO LIVE tasks 19th May.docx

[tomcrane]

Good morning all,

I have completed the anonymising process on wellcomelibrary.org.

This includes a redirect for all paths under what was the bookmarks/account page, so they get redirected to the new remnant page, e.g., http://wellcomelibrary.org/account/beeswax.

At time of writing, the DDS can still make direct contact with the Sierra patron info service. This means it can authenticate the user, and provide the user's permissions to the DLCS so that the DLCS can authorise access to clinical and restricted images as appropriate.

For example, here is a clinical video that will present the new login page with @jennpb's edits:

https://wellcomelibrary.org/item/b17478613

And this is a test b number for a clinical book. https://wellcomelibrary.org/item/b17478613

Further edits to that login page can be made in GitHub, and edits to the account page can be made in the Smart Client.

See how the labels and messaging feels on the now-live site. We can easily change the links in the top right if they don't seem right.

It all seems to have gone very smoothly. The Sierra login is still directing to CAS SSO right now, but that will change as III do their bits.

Once we are happy with all this, the one remaining task from my point of view is the second bullet here - https://github.com/wellcomecollection/platform/issues/4016#issuecomment-627217951 - which is for Wellcome to do.

[jennpb]

The Clinical login panel gives incorrect information - I hadn't clocked that UV logins would also need to change. @tomcrane Can you please direct me to where I can edit those modals?

[louisesimon]

Thanks, Tom, Jenn. D&T have made the DNS change. I've made live the webpac changes to the Library account page. (Bookmark link on LHS of login screen is still displaying even though it's been removed from the page Will wait until III have finished their work and take up with III if still a problem then.)

[jennpb]

I've made the changes to the three pages in CM7. All links now go to the correct page.

[louisesimon]

III have finished their configuration. Please can you test http://catalogue.wellcomelibrary.org/patroninfo. We have noticed that Global Protect is still directing this to the account.wellcome.ac.uk. If you turn GP off or login from a non-work device, it directs to the Sierra login.

However, after logging in , if I go to other Library website pages and then back to 'My Library Account', it needs to login again. @tomcrane presume this is one for III?

[tomcrane]

Hi @louisesimon - the direct link to /patroninfo wouldn't trigger a new login if you were already logged in over there, when I tested this on the previous setup. In Sierra, it redirected to your patron details. So I think one for III. If that fixed link from wl.org should go somewhere else let me know, it's easily changed.

[louisesimon]

hi all Staff can now login from a work laptop (there was an internal DNS change that had to be made too).

The remaining issues are:

1) Encore search still http. This morning Phil Hunt, the IIIengineer, apologised and said that we we would have to upgrade to encore 4.7.3 to get search as https. I've queried this with him as before the SSO reinstall last year, our Encore search was https:// and that was an older version of Encore. I was given to understand that once SSO was removed, the workaround that redirected Encore to http after the SSO resinstall could be removed.

2) The problems we have with our WAM proxy links remain. Will continue that with III off this thread.

3) The 'My Library Account' login link on the library home page - if you click back on it after logging in, you are directed back to the login page. No problem when going to an 'embedded' My library account page via Encore or webpac.

I'll look more at this with III. It may be that it's less confusong for users not to have that login button there at all.

Let me know if any questions.

Thanks Louise