You can restrict access to the HAN system by configuring authentication services.
An authentication service is a predefined HAN module that detects user identity based on an authentication source.
HAN supports the following authentication services: IP address/host name check
NT login (SSPI)
ODBC interface to an ODBC-compatible database ODBC login via SHA1
LDAP login ALEPH login LBS login SIP2 login XServer login SISIS login
The list of supported authentication services shown on the HAN Settings program includes additional services which are not described here. These are services that have been specifically adapted for special areas of use and for internal functions.
For details on the settings for each of the authentication services, see the appendix entitled
"Authentication Services and their Modules". This chapter shows you the settings for authentication
and how to configure an authentication service. Authentication settings:
Settings for authentication are configured in the HAN Settings. Open the HAN Settings from the HAN Tools desktop shortcut. In the HAN Settings, select the Authentication page in the Login section:
Use HAN authentication. Activates the authentication requirement for accessing HAN. We recommend using this option.
HTML-form login. Defines the HTML form to be used for HTML login on HAN.
Failed HAN login. In the event of login failure, the HTML page specified will be opened to inform the user and, depending on your configurations, to enable a renewed login attempt.
Use HTTPS for login. Uses HTTPS for logging in on HAN.
Authentication services. Lists all configured authentication services.
HAN distinguishes between implicit and explicit login. With implicit login, the user does not enter credentials; for explicit login, the user enters a user name and a password for authentication. Implicit login is based on client IP address or host name and is independent of user identity. The explicit login uses an HTML-form login:
This login page can be edited and, if desired, adapted (for example, to match your intranet pages). For details on adapting the login page, see "Customizing HAN for Your Company".
If you call the login page over HTTPS, data are encrypted before being sent to the HAN server. To use HTTPS, activate the Use HTTPS for login option.
Configuring an authentication service:
The following steps demonstrate how to configure an authentication service, using the "IP
Authentication" service as an example. Authentication services are configured in the HAN Settings:
1.
Click on Login in the ribbon and select the Authentication page.2.
On the Authentication page, click on the New button at the top of the Authentication services list:The list of authentication services shows all of the authentication services you have configured. If more than one authentication service has been defined, they are processed in order, from top to bottom, until one service has successfully completed the login, after which subsequent services are ignored. You can use the Up and Down buttons to change the order of authentication services. If an IP authentication service is defined, this is the first service applied, because IP-based authentication does not require user input.
3.
In the Authentication services dialog, select the desired authentication service:4.
Click on the OK button. The dialog for configuring an authentication service opensautomatically when you select a service. In the Authentication service field, enter a name for the new authentication service (in this example, "IP login"). The label (in this example, "IP") is required for internal processing:
The Activate service checkbox activates or deactivates the service. Thus you can activate or deactivate a service as needed, while its configuration settings remain stored.
5.
The parameters you can configure for the selected service are listed under Serviceconfiguration. A parameter is configured by entering a value for it. In our example, a file is required as the value; thus the Select button opens a File Dialog for selecting a file:
Parameter names written in red indicate required parameters; those written in black are optional.
6.
Your HAN program lets you set an expiration time for the validity of login credentials. This function is activated by selecting the Use persistent cookies for login option. When this option is active, you can set the period (in hours) of validity for a login.To use this option, the user's browser must accept cookies from the HAN server. If no persistent cookie is set, the login credentials remain valid until the user closes the browser.
7.
Under IP configuration, you can define permitted and excluded IP addresses:The "IP login" option is the only authentication service that has a section for configuring
permitted and excluded IP addresses. This section of the dialog is not shown for other authentication services.
permitted to access HAN resources and which are explicitly denied access. You also have the option of defining a single user ID for a collection of IP address, for purposes of statistical analysis. For example, you could create an IP authentication service for users whose IP addresses are located within the library, and enter "Library" as the user ID in the Permitted section. As a result, all usage data originating from library computers is collected the statistics database with the user ID "Library".
To check the host names of client computers, the HAN web server has to perform reverse name resolution on the IP addresses. This function is configured in the HAN System Settings, on the HAN Web Services page. After activating reverse name resolution, the web service must be restarted (by clicking on the Restart button in the ribbon) before the change takes effect. If reverse name
resolution is not activated, the handling of e-script calls will be very slow.
Before you activate name resolution, test your system's name resolution performance by running nslookup and entering the client IP address. The nslookup program should return the client's host name. If this works, then you can activate name resolution in the web server. If the host name is not returned, do not activate name resolution in the web server!