This presentation was provided by Don Hamparian of OCLC during the two day NISO Live Connections event, Digital Libraries: Authentication, Access and Security of Information Resources, held on May 22-23, 2018 in Baltimore, MD.

1. May 2018 • NISO
IP Authentication for STEM e-Content Access –
Going, Going, Gone? Past, Present, and Futures
Don Hamparian
Sr. Product Manager, OCLC

2. IP Authentication for STEM e-Content
Access – Going, Going, Gone?
Past, Present, and Futures
Foundational Technologies Panel
Digital Libraries: Authentication, Access & Security for
Information Resources
NISO

3. Americas
10,938 members
in 28 countries
EMEA
4,009 members
in 72 countries
Asia Pacific
1,601 members
in 23 countries
As of 31 December 2017
A global network of libraries

5. Today’s Conversation
• IP authentication, past & present
• IP authentication’s challenges
• Alternative authentication & authorization methods
• Challenges and opportunities for libraries

6. Quick Survey
• Librarians?
• IP proxying today?
• Library IT?
• Institution IT?
• Publishers?
• Federation Operators?

7. IP Authentication
• Traditional Access Control Mechanism for 25 years
• Nearly all STEM publishers support it
• Libraries understand it and are comfortable with it
• Back in 2000 the topology for administration was simpler
• Still seen as easy to administer today
• Actual software to manage access is pretty straightforward
• “Silent” authentication and authorization for users

8. By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=42693963
As IP authentication was being implemented

9. Early evolution in STEM access
Not all users were on the library/institution IP network,
so solutions to this problem sprung up:
• VPN access
• Virtual Desktop aka Citrix
• Proxy Servers aka EZproxy
All was good for many years

10. More recently, new challenges
• Piracy
• Disconnection of discovery from fulfillment technologies
• Native mobile apps
• Desire for more personalization at publishers web sites
• More complex network topologies
• Video and streaming content

11. A deeper look at piracy
• Some pirates are sophisticated, some simple
• Some are large-scale and systematic
• Some are for money, some for pirate’s principles
• Generally, attack vectors are simple:
– Steal credentials via Dictionary attacks, phishing, searching for
exposed credentials
– Spoof IP Address (more rare)
– Man in the middle attacks (more rare)

12. Credentials
• Mostly id/password at institutions, Some still just id(!), a
few MFA
• Not well managed by users, institutions or content
providers
• Not an IP-only problem
• Multi-factor helps significantly
• Short-lived passwords can help
• Complex passwords can help

13. Some solutions for these problems for IP
authentication exist, but should we be thinking
more broadly?
What identity management systems are
available for STEM access?

14. Introducing Shibboleth
Bright and shiny and new in 2003
• Shibboleth 1.0 introduced in 2003
• Included in implementation is the Security Assertion
Markup Language (SAML)
• Brought us web browser single sign-on
• For many years, adoption was slow and painful
• In spite of the startup pain, it was transformative

15. Shibboleth: much less painful today
• Preciseness Alert: Federated Identity Systems Implementing SAML
Browser SSO profile
• Easier implementation
• Many apps and publishers are “Shibbolized”
• Wide adoption at academic institutions
• Mature identity federations
• Many providers offering consulting or turnkey offerings
• Privacy preserving and controlled by institution IT
• https://www.shibboleth.net/

16. Some providers

17. Central Authentication Service (CAS)
• Introduced around 2004
• Apache 2.0 Open Source
• Originally developed at Yale, now provided by Apereo
Foundation
• Can participates in identity federations such as InCommon
• https://apereo.github.io/cas/5.2.x/index.html

18. Identity Federations
• Glue that Empowers SSO at the global scale
• Simpler service provider integration
• Common policies, technology, legal terms & conditions
• Normally defined at national level

19. OpenID Connect
• An authentication layer on top of OAuth 2.0
• Specification controlled by the OpenID Foundation
• Good mobile support (especially for Android)
• Good support for API authentication and authorization
• Adoption for STEM access at a very early point
• Traditional identity management interoperation also at a very early
point
• Academic institution adoption at a very early point
• https://openid.net/connect/

20. And now a short commercial break
for RA21
• RA21: Resource Access for the 21st Century
• Joint initiative of the International Association of
STM Publishers (STM) and the National Information
Standards Organization (NISO)
• Aimed at optimizing access protocols across key
stakeholder groups
• Corporate and university subscribers, libraries, software vendors,
publishers, identity federation operators, etc.

21. And now a short commercial break
for RA21
• Purpose: To a facilitate seamless user experience to
licensed STEM content beyond IP address recognition,
supporting usability, network security and user privacy
• https://ra21.org/

22. RA21 Goals
Recommend new solutions for access
strategies beyond IP recognition in joint
collaboration with software vendors, libraries,
federation operators, publishers and service
providers

23. RA21 Goals
• Test and improve solutions by organizing pilots in
a variety of environments
• Establish best practices and publish via the NISO
Recommended Practice process
• New: Prepare for post-project phase by identifying
potential parties to operate any necessary
centralized infrastructure

24. User Experience
P3W
RA21 Workstreams
2
Two technical pilots exploring different
implementation approaches
Two cross-cutting
workstreams
exploring topics
common to both
approaches
Privacy and Security
Corporate
Pilot
WAYF
Cloud
Pilot exploring needs of
corporate segment

25. RA21 Opportunities
RA21 needs to:
• Improve UX for the researcher – the “compelling”
factor
• Communicate the how-to’s and benefits for the
institution
• Demonstrate privacy preservation
• Have more library participation

26. That’s the authentication landscape
Let’s shift to libraries
What are the challenges and opportunities
in this changing landscape?

27. First, it's a long evolution
• RA21 is about developing patterns for adoption of
SAML/SSO
• Patterns take time to turn into production systems
• My prediction is at least a five-year window for larger
publishers
• Smaller (long-tail) publishers will take longer
• Take home: IP authentication is going to be around for a
long time - EZproxy is not going away

28. Second, it’s an important evolution
SAML/SSO have many advantages to the end user:
• Privacy protection more formalized
• Single sign-on through institution and publisher applications
• Website personalization adds functionality to applications
SAML/SSO have many advantages to the institution:
• Good foundation to protect student assets
• Common vocabulary and implementation patterns to draw upon

29. But libraries need to be planning…
or challenges and opportunities
• Does the library have the IT relationships necessary to start the
conversation?
• Does institution IT have a plan? Be ready to participate and guide
• Watch trends in the identity management space – it’s evolving too
• Don’t withdraw from the institution-level conversation about identity
management – libraries have valuable insight
• Get involved with your federation operators
• Get involved in RA21

30. Publishers also have work to do
• Make sure you know your libraries’ challenges and adjust
planning accordingly
• Develop success plans with your libraries
• Have compelling UX

31. Closing thoughts
• It’s a long migration not a hot cutover
• RA21 and implementers needs to produce compelling UX
• Libraries need to stay engaged in identity management
trends and implementation
• Libraries need to advocate for their patrons
• EZproxy is there the whole way

32. Questions?
Don Hamparian
Sr. Product Manager
hamparid@oclc.org