Bloomsbury Authentication Hub
Single sign-on and subscription management system.
Centralised subscription management and authentication system connecting hundreds of institutions to Bloomsbury's digital products — handling SAML/Shibboleth SSO, IP-based access, email domain validation, and subscription lifecycle automation.
The Challenge
As Bloomsbury's digital education portfolio grew, each product was managing its own authentication and subscription logic. This meant duplicate institution records, inconsistent access control, and no single view of which institutions had access to which products. They needed a central system to manage it all — one place to create an institution, set up their authentication method, manage subscriptions, and have it work across every product.
- Centralise institution and subscription management across multiple digital products
- Support multiple authentication methods (SAML/Shibboleth, IP ranges, email domains)
- Automate subscription activation and deactivation based on contract dates
- Expose REST APIs so digital products can validate access in real time
- Handle institutional user management (admins, instructors, students)
- Maintain OpenAPI documentation for all endpoints
The Solution
Built a purpose-designed Drupal application that acts as the single source of truth for all institutional access across Bloomsbury's digital products.
- Subscription management: Institutions linked to digital products via subscriptions with start/end dates, access methods, and user limits — cron automatically activates and deactivates subscriptions based on dates
- Multi-method authentication: Each subscription can use Shibboleth/LTI, email domain + IP range, or both — the Hub validates whichever method the institution's users present
- Custom REST API endpoints: Full CRUD for users, institutions, and subscriptions, plus validation endpoints that digital products call in real time to check access
- SAML/Shibboleth integration: SimpleSAMLPHP with institution-level entity ID mapping, attribute-based role assignment, and wayfless login URLs for direct institutional access
- IP and email validation: CIDR-based IP range checking and email domain matching for institutions that don't use Shibboleth
- OpenAPI documentation: Swagger and ReDoc UIs auto-generated from REST resource annotations, so product teams always have current API docs
- Institutional user management: Institution admins create and manage their own users (students, instructors, admins) with role-based access, while Bloomsbury super-admins have oversight across everything
The Results
The Authentication Hub eliminated per-product access management. New digital products can be added without building authentication from scratch — they just call the Hub's API. Subscription renewals and expirations are automated, reducing manual admin work. And because all institution data lives in one place, Bloomsbury has a clear picture of their entire institutional customer base for the first time.