Adam Snook, OpenAthens product manager, discusses preserving user privacy and protecting online content. Adam also explains RA21 and what federated single sign-on is.
5. openathens.org
What we’ll cover
What is federated single sign-on?
How can it preserve user privacy?
How it protects valuable subscribed content?
What is the future of access to online
information?
More information and next steps
7. openathens.org
What is federated
single sign-on?
Three-way trust relationship between a library user, their
organisation and content provider
Organisation manages user consent and authentication
Content provider manages access rights and authorisation of
access to content
OpenAthens provides the eco-system where encrypted user attributes are
exchanged between organisation and content provider, securely and seamlessly
Webopedia definition
8. Federated Access
Service ProvidersIdentity Providers
Providing the user’s identity. I.e.
their email address and
subscribed resources.
Providing paid-for content to
organisations and their users.Authentication vs Authorisation
“We confirm this user
is a student from our
Biology department”
“Biology students from your
institution can only access our
Biology content”
attributes
SAML ‘Handshake’
11. openathens.org
Data Protection Code of Conduct
• Service providers must comply with data protection legislation
• Supported by RA21, the Code of Conduct principles include:
o Minimising the attribute data released to service providers
o Restricting attribute data to enabling access, unless user consent has been obtained
(directly or via the user’s organisation)
o Deleting/anonymising attribute data when no longer necessary
o No transfer of attribute data to another service, except if mandated for enabling
access on behalf of the service provider, the third party also complies with data
protection, and prior user consent is obtained
o Security measures to safeguard user attributes
• bit.ly/GEANTdp
12. openathens.org
How does OpenAthens handle privacy?
Our privacy statement:
• What information we collect
• What we do with that information
• How we protect it
• How long we keep it for
• How you can check your information
• openathens.org/privacy/
13. openathens.org
Library organisations - your responsibilities
• Processing of user data must be fair, lawful, necessary and proportionate to the
purpose(s) for which data is required.
• Organisations must inform users what their personal data will be used for at the time it is
collected.
• Users can ‘opt out’ of providing personally identifiable information.
• Organisations must ensure personal data is not misused and only released to service
providers when necessary.
• User consent may be requested for additional personal data. Users can change their
minds and change or stop future release of this information.
14. openathens.org
Privacy challenges for librarians
• Blog: Opportunities and challenges for
librarians created by technology
• EBSCO long overdue podcast
“Some providers have gone so far
as to provide personalisation
without using any personally
identifiable information
whatsoever.”
15. openathens.org
Protecting privacy through user attributes
Attribute Description
eduPersonScopedAffiliation User’s association with the organisation e.g. student,
researcher, staff, alumni, walk-in, affiliate
eduPersonTargetedID An opaque, persistent and pseudonymous identifier
used for personalisation. Unique to each user, it does
not contain any information that can identify a person.
eduPersonEntitlement Describes the resource set the user is entitled to
access.
16. openathens.org
User managed consent
• Users can accept release of
attributes to service providers using
Shibboleth Identity Provider v3
• Attributes may include
eduPersonPrincipalName
• Openathens plans to support
user managed consent and multi-
factor authentication in the future
18. openathens.org
IP-based access
• Sometimes results in users providing personal information to publishers
• Difficult to track who your users are
• Inconsistent user journey off-site, so users choose the easy route e.g.
sharing content with friends or colleagues, or access via pre-print
repositories, ResearchGate and SciHub
• Fewer visits to your website potentially impacts library subscription decisions
19. openathens.org
Federated single sign-on
• Trust model – more secure
• Users less likely to share their credentials
• Library verifies who the user is
• You trust the library
• Seamless user journey to all the library’s subscribed content
• Users less likely to visit other nefarious sites
• Can request personally identifiable information from users with their consent
e.g. eduPersonPrincipalName
20. openathens.org
OpenAthens Conference, 19 March 2019, London
Panel debate: Piracy as a disruptor for
change
Further reading:
How piracy is forcing industry
transformation
Emily Powell, College of Policing Phil Leahy, OpenAthens
22. openathens.org
What is RA21?
• Resource Access for the 21st Century (RA21) is a joint STM and NISO initiative
with goals to:
o Facilitate a seamless user experience for consumers of scientific
communication.
o Solve long standing and complex challenges in the areas of network
security and user privacy.
• Universal agreement that there needs to be alternatives to IP authentication.
• Aiming for adoption of RA21 recommendations globally.
24. UX Building Blocks
2
Consistent visual cue
and call to action signals
institutional access
Flexible and smart search
• Search by institution name,
abbreviation or email
• Typeahead matching and URL
Remembered institution
on next access1 2 3
25. RA21 UX Goals
2
A user only encounters a
discovery process once
(per browser).
The user’s institution is persisted
in browser local storage and
subsequently rendered in the
RA21 button across all
participating publishers.
1 2
26. openathens.org
Main outputs
1. Set of recommendations that build on NISO’s ESSPReSSO recommended
practice
2. Establish a new governance structure
3. Launch a new service that simplifies access for users
Main outcome
• Expectation that publishers will start to deploy RA21 recommended practices in
second half of 2019.
35. openathens.org
• Download the free ebook which includes
explanations and guides on:
• The difference between authentication and
authorisation
• Web based authentication
• IP address recognition
• What SAML is and how it works
• OpenID Connect
• Basic troubleshooting
36. openathens.org
This report presents the key findings from
over 900 responses including:
• Access management is critical to meeting
users needs
• Increased demand for mobile or off-site
access
• Library staff requiring greater technical
expertise than ever before
• The need to help users with their digital
skills
Pan-European network for research & education.
Must have sec measures in place to safeguard
Opaque identifiers are allowed for the purpose of recognising a returning user, but not their individual identity
iso27001
Myth 1: IP authentication is privacy preserving, where federated authentication technologies are not. BUSTED
Myth 2: Proxy servers work just fine as a solution for off-campus access. BUSTED
Myth 3: RA21 wants to enable publishers to track users across each other’s platforms. BUSTED
Myth 4: RA21 creates yet another username and password. BUSTED
Myth 5: RA21 is placing control of users’ identity in the hands of institutions and not the individuals themselves. PLAUSIBLE
Myth 6: RA21 seeks to eliminate IP-based access. CONFIRMED