Frequently Asked Questions about IP-Proxy Servers and federated access management.

IP-Proxy Servers FAQ - Federated Access Management

  1. What is a proxy server?
  2. Why use a proxy server?
  3. What proxy solutions are there?
  4. What is EZproxy and how does it work?
  5. What is PAPI and how does it work?

1. What is a proxy server?

A proxy server is a server that acts as an intermediary between a workstation user and the Internet. When a user connects to the proxy server and requests an online service, such as a file or a web page, available from a different server, the proxy server connects to the specified server and requests the service on behalf of the user.

While proxy servers exist for most Internet protocols, the best known are Web Proxy Servers, also known as HTTP Proxy Servers from the official name of the Web protocol.

Proxies can be transparent (part of the Internet connection requiring no additional user configuration), or require access to specific URLs, or configured in the web browser.

2. Why use a proxy server?

There are many different reasons why organisations may decide to use a proxy server. For example:

  • To provide remote access to IP-authenticated resources
  • To reduce traffic to commonly downloaded material
  • To provide an alternative access route (e.g. as a backup or as a work-around for connection problems)
  • To maintain user anonymity (e.g. if a user doesn’t want a service provider to receive all the information that a web transaction commonly passes on)

UK institutions that would like to participate in the UK federation by choosing one of the two in-house implementation options (i.e. installing open source federated access management software, using either in-house or paid-for support), may consider using a proxy server to provide temporary remote access to online services that are not yet available via the UK federation.

3. What proxy solutions are there?

There are many proxy solutions currently available, both proprietary and open source.

Many UK educational institutions are using EZproxy, now owned by OCLC. EZproxy has been specifically designed to provide off-site access to restricted online resources that use IP authentication.

Another piece of software used by educational institutions is PAPI. PAPI (Point of Access for Providers of Information) is a system for providing access control to restricted online resources across the Internet.

4. What is EZproxy?

EZproxy is a web proxy server application specifically designed to enable off-site access to restricted access online resources that use IP address authentication. The software has been recently acquired by OCLC.

How does it work?

The software works by dynamically altering the URLs within web pages of the online service a user is trying to access.

Initial access is through a special URL which connects to the EZproxy server. Once a user has accessed a web site through the server, the webpages that are downloaded are modified so that links followed will also be through the proxy.

How much does it cost?

EZProxy can be purchased for an annual subscription fee that includes installation support. 

For more information please go to the OCLC website

What are the installation requirements?

The software is quite easy to install and comes with full documentation and support. For more information on installation requirements, please go the EZproxy website.

Is EZproxy SAML-compliant?

A Shibboleth-compliant version of the software is available. Using the ‘shibbolised’ version of EZproxy will provide users of federated institutions with seamless access experience, as users will be able to use their institutional login to access both federated and EZproxy-authenticated resources.

OCLC, which provides the EZproxy software, currently uses Shibboleth v1.2 which has integrated support for the Athens access management software and will also work within the UK federation environment. OCLC’s future development plans for EZproxy include moving to the new release of Shibboleth v2.0, which will also work with the current version of Shibboleth v1.3.

The new release of EZproxy supports WAYFless URLs which means that users can be sent directly to the resource they want to access.

Salford Software and VLE Middleware from Kidderminster College offer paid-for support for institutions wishing to implement ‘shibbolised’ EZproxy. More information

5. What is PAPI?

PAPI (Point of Access for Providers of Information) is a system for providing access control to restricted information resources across the Internet.

PAPI was developed by the Spanish National Research Network (RedIRIS).

How does it work?

It leaves authentication to the home institution and authorisation to the information providers. The system consists of two independent elements: the authentication server (AS) and the point of access (PoA). The AS provides users with a single authentication point and the PoA manages actual access control to a set of web locations for a given organisation. A PAPI PoA can be adapted to any web server and is designed to be as flexible as possible.

How much does it cost?

PAPI is Open Source software, so there are no subscription costs, only the costs of the implementation work.

What does the technical implementation involve?

There are implementations of the PAPI components in Java, Perl and PHP.

Is PAPI SAML-compliant?

The PAPI proxy requires the use of PAPI-native protocols, but there are simple connectors for many authN/authR protocols, including SAML-based technologies, such as new Shibboleth 2.0. More information