ebrary.com

ebrary portal policy

Question(s)/Issue(s):

ebrary Portal Policy

Solution(s)/Answer(s):

What's a portal?

A "portal" is any use of an ebrary channel by a customer (or partner) to provide access to remote users who are not their direct students, faculty, staff or employees.
In a "portal" situation, the customer's own servers provide end users with access to content hosted by ebrary.

    Examples of Portals:
  • an internet site offering accounts to internet users (including unrestricted offers to the general public, as well as offers restricted by some criteria)
  • a public library offering access to patrons who can sign up via the Internet
  • a reseller site offering access to their library customers, who then provide access to patrons
  • a University that provides access to a partner high school

Why do portals require special care?

ebrary sells access to a customer based on their identified user base. In a portal situation, the customer may — either intentionally or inadvertently — be offering access to additional users (in some cases, the entire worldwide internet population).

When the customer is offering access internally, it is reasonable to trust that they have solid administrative systems in place to know who is authorized, and to limit access to those individuals. When the customer begins offering access to other organizations, there is a higher risk that the customer will not have reliable systems in place to identify and restrict access to authorized users. In some cases, the customer itself may not initially recognize that the organization they are offering access to does not have appropriate systems in place to restrict access. A quick technical review is prudent to ensure that the Portal provides access only to the specific and authorized user community that the customer has paid ebrary for.

REQUIREMENTS TO CLOSE A PORTAL DEAL:

  1. ebrary should be brought in for a pre-sales technical discussion to ensure our product and solutions will work with the Portal prospect.
  2. ebrart will only approve Portal deals if the partner's Portal system meets the following requirements:
    • Individual user authentication required (ID/password)
    • System must restrict access to members of the specified user group (anyone on the internet may not create an account and access ebrary)
    • System must restrict simultaneous access with single login
    • Accounting/logging of user access
    • Mechanism must be secure (not referring URL)
    • API integration may be required
  3. Based on ebrary recommendation, ebrary will add a Portal Addendum to the customer contract.
Portal Addendum Example:

Exhibit ____

Partner Portal Server Deployment (Form#052807)

  • User Authentication and Management. The Partner Portal Server will manage authentication for Partner users on the Channel Site.
  • ebrary Access. All users of the Channel Site will be authenticated by the Partner Portal Server.
  • User Authentication. The Partner Portal Server must individually authenticate each user with a unique username and password. If the user is affirmatively authenticated through another trusted system, the Partner Portal Server may use secure methods to utilize that common authentication.
  • Eligibility Verification. The Partner Portal Server shall specifically validate each new user to be a member of the designated user population prior to creating a user account that can be used to access ebrary.
    1. The Portal Server must obtain and verify unique user identification, such as student or employee ID. Generic or easily obtained or non-unique identification is not acceptable (such as address or institution name).
    2. Only one Partner user may be associated with each unique user identification.
    3. The IP range of the requestor must be validated with commercially available databases (i.e. MaxMind GeoIP) to be within the applicable country.
  • Terminating Access. When an account is deleted, inactivated, or expires the Partner Portal Server will use the Ebrary APIs (as described below) to disable the corresponding Ebrary users' account.
  • Validated User Email Address. Partner will validate end users email addresses in a commercially reasonable manner, such as by sending an e-mail to the user and requiring that the user click through a completion link. If a user provides Partner with an updated email address, the Partner Portal Server will use the Ebrary APIs to update the email address on the corresponding ebrary user account.
  • Blacklisting. The Partner Portal Server will support administrative blacklisting or lockout of specific IP addresses or user accounts.
  • Partner Branding and Support Information. All user and error pages displayed to Prospects and Customers by Partner will display appropriate Partner branding, and will instruct end users how to obtain technical and customer support from Partner.
  • ebrary APIs. The Partner Portal Server will use ebrary APIs to create ebrary user accounts and authenticate authorized users to the Channel Site.
  • API Implementation. ebrary will provide documentation regarding the use of certain ebrary APIs to enable user management authentication. Partner will implement the APIs, and will only use ebrary APIs in the manner described in their documentation. The Partner Portal Server shall implement robust internal error handling to handle and log common problems such as session time-out, missing pages, and malformed URLs. The Partner Portal Server will support all relevant API events to ensure that all returned API errors and timeouts are handled and logged.
  • ebrary User Accounts. Partner will use the UserRequest API to create one Ebrary user account for each Portal user account. The ebrary User account will be created with a unique ebrary UserID and the user provided (and validated) email address. Partner will use the UpdateUser API to enable or disable the account and to update email addresses associated with the user as needed from time to time.
  • ebrary Authentication. The Partner Portal Server will use the "transparent sign-in" authentication APIs SignInRequest and SignInPartnerUser to authenticate Partner users to the ebrary Channel Site based on the ebrary UserID. The Partner Portal Server will allow only one user at a time to access each ebrary UserID, the SignOutUser API will be used to cancel any earlier user sessions.
  • Portal Server IP address and URLs. Partner will provide the fixed IP(s) for the Partner Portal Server and URLs for the various event handlers as required by the "transparent sign-in" authentication APIs. Partner will notify Ebrary at least one (1) business day in advance of any changes to the Partner Portal Server IP(s) or event handler URLs.
  • Style Guide. Ebrary will create and host the XML Style Guide for the Channel Site to reflect information provided the Partner specific to the Portal Server.
  • Partner Portal Server System Design and Deployment
  • Security. Partner shall implement commercially reasonable network and server security architecture and systems for the protection of the Partner Portal Server and associated data, including the following:
    • Static IP. The Partner Portal Server will be located at a static IP address controlled by Partner.
    • Network Infrastructure. The network infrastructure in which Partner deploys its implementation should include the following components:
      1. a layered architecture with restrictive ACLs (access control lists)
      2. firewalls
      3. network intrusion sensors
      The network must provide secure separation between application tiers; private back-end logic and database systems that hold user information shall be isolated from external access.
  • Server Security. Server security should include: hardened or minimal operating system deployment with unnecessary services removed or disabled, local firewalls, Virus Protection, software intrusion detection or file modification monitoring.
  • Policies and Procedures. Partner and/or its hosting or service providers shall maintain documented security policies and procedures for the Partner Portal Server, including:
    1. security protection
    2. security detection
    3. security response
    4. documentation and auditing
  • Unauthorized Access and Abuse Detection. Partner will use commercially reasonable methods to detect, log, and alert Partner staff regarding unauthorized access attempts or abuse.
  • Internal Access Controls. Partner shall manage internal user access controls and network security to restrict privileged access to the Partner Portal Server, administration, software, infrastructure and databases based on legitimate need.
  • No Shared Servers. The Partner Portal Server and associated application and database servers shall be under complete control of Partner, and not shared with unrelated third parties.
  • Data Protection. Partner shall implement commercially reasonable redundancy and tape backup systems for recovery of Partner Portal Server user data, configurations and software in the event of hardware, software or other failure.
  • Logging and Problem Solving. Partner will maintain web and application logs for all user sign-in requests (whether or not the request is successful) and ebrary API error conditions. Partner will provide logs, end user identification and other relevant information to provide assistance in Partner Portal Server problem identification or as reasonably requested by ebrary in the course of investigating confirmed or suspected unauthorized use, content theft, copyright infringement, or other misuse of the Product.
  • Development Processes
  • Team Qualifications. ebrary's APIs shall be reasonably capable of integration by personnel with the following qualifications:
    1. Strong experience with internet application programming in a typical 3-tier deployment that uses Web Servers (such as Apache or IIS) to present information to the user, and application layer that implements business logic and access to data stores (using languages such as Perl or PHP, ASP, Java Servlets/JSP), and SQL database servers to manage user and application data
    2. Understand key web technologies used by the ebrary APIs (HTTP and HTTPS protocol programming constructs, such as GET, POST, and user sessions and XML concepts, including programmatic parsing, formatting and DTDs).
  • Implementation Tools. Partner will have the following processes and tools in place to develop and test its implementation of an ebrary API solution:
    1. Software change control management and versioning systems.
    2. Established QA processes, including standardized test plans, test reports, user simulation, load testing, and bug tracking systems.
    3. A test server environment that can be used for validation testing without impacting the production system available to users.
    4. HTTP analysis tools for accessing the content of HTTP sessions and viewing the XML exchanged between the client and the server. ebrary recommends Charles and problem reports submitted to ebrary require Charles capture files.
  • Support and API problem Reporting. ebrary will provide a process and templates for obtaining development and integration support for the ebrary API Integration.
  • Project Management, Testing, Deployment, and Modifications
  • Project Initiation. Partner shall provide the overall development plan for the Partner Portal Server to Ebrary for review and approval prior to the start of API integration. The plan should include:
    1. server design
    2. network infrastructure description
    3. QA plan, and support plan.
  • ebrary Test Site. ebrary will provide a limited test version(s) of a Channel Site with unique URL that Partner may use for testing and development of its API integration. Partner will use the test URL to test its configuration and obtain ebrary's approval prior to selling any Products or using an ebrary production Channel Site URL.
  • Partner Software Changes. If Partner's software changes, Partner will validate the compatibility of the changed software with the ebrary APIs using the test URL, and will give ebrary adequate notice to give ebrary the opportunity to conduct its own testing, prior to releasing the new software.
  • ebrary Testing. Partner will provide Ebrary with a username and password for ongoing access to the Partner server, to give Ebrary the ability to conduct its own testing of the Partner Portal Server authentication system from time to time.
  • Security. Partner will use commercially reasonable practices and procedures to ensure that only authorized end users are able to access the ebrary Channel Site. Partner will hold in confidence all information and materials explaining how to authenticate end users to the Channel Site. In the event of a security breach of the Partner Portal Server or unauthorized access or loss of information or servers affecting the Ebrary Site in any way, Partner will act immediately to minimize the effect on the ebrary Site, and will inform ebrary as soon as reasonably possible.
 
Copyright ©1999-2008, ebrary, Inc. All Rights Reserved.