LLoyd - Web proxy vs. Federated SSO: A Practical Guide

This presentation was provided by Tim LLoyd of LibLynx during the NISO Live Connections event, Digital Libraries: Authentication, Access and Security of Information Resources, held on May 22-23, 2018 in Baltimore, MD.

@liblynxconnect Tim Lloyd <tim@liblynx.com>
Web proxy vs Federated SSO:
A practical guide to the pros & cons
Tim Lloyd, CEO LibLynx
22 May 2018
Digital Libraries: Authentication, Access & Security for Information Resources

About LibLynx
1
We’re passionate about empowering
access to online resources
2
We want to make access as simple as
possible and as secure as necessary
3
Serve Libraries and other information &
knowledge managers
Serve Publishers and other online product
& service providers
4
Cloud-native solutions engineered for
integration, automation, and customization

@liblynxconnect Tim Lloyd <tim@liblynx.com>
Five areas of concern
Patron Privacy
User Experience
Security
Cost / Efficiency
Reporting
Two lenses
Proxy access
Single Sign On (SSO)

On patron privacy
“We don’t want publishers to track
patron identities or what they are
reading”

Privacy
Proxy
Publisher never receives personal data
(PD)
HOWEVER, patrons forced to register for
personalization risk exposing PD
Shibboleth has good privacy controls to
limit the release of PD
Scalable Consent will provide tools &
policies to empower institutional and
individual choice
Other SAML systems can be configured
for privacy e.g. Active Directory
SSO

https://spaces.internet2.edu/display/ScalableConsent

On user experience
“My colleague can’t access
https://example.com.proxy.college.edu”
or
“Life, uh, finds a way”

User Experience
Proxy
Patrons have to access via institutional
links, supported by significant community
effort
Poor experience outside proxied links
Proxy configs can fail
Patrons can access at point of discovery
Poor experience to select institutional
affiliation (RA21)
SSO

On security
“Someone at IP 1.2.3.4 violated the terms
of service 3 days ago between 2 and 4pm
- please block their access”

Security
Proxy
Access can be secured by credentials
Human error can be a significant factor
Blocked IPs are blunt tools that impact
good and bad users alike
Tracing unauthorized activity can be time
consuming and usually requires
collaboration between librarian & publisher
Soft target for fraudulent access
Federated trust fabric provides strong set
of security tools & policies
Unauthorized activity quicker to spot and
block by publisher - more like a scalpel
than a hammer
SSO

On cost and efficiency
“Does anyone have an up to date stanza
for XYZ Journal?”

Cost and efficiency
Proxy
Inherently unstable approach as it has to
respond to changes in website design
Requires regular, ongoing maintenance as
resources change and proxy
configurations need updating
Stable technology
Low ongoing maintenance required
SSO

On reporting
“Which group of patrons accesses this
resource the most?”

Reporting
Proxy
Access tracked through proxy
Granular user level reporting available to
library if proxy requires login
Publisher can’t distinguish users
Access tracked via SSO architecture
Granular user level reporting available to
library AND publisher depending on
institutional policies
SSO

This document summarizes authentication and access of licensed content in Ohio libraries. It discusses OhioLINK's mission to provide academic resources to students and faculty. It outlines OhioLINK's membership, which includes 121 member libraries at 90 institutions. It also describes OARnet's role in providing technology solutions and infrastructure like fiber optic networks to higher education institutions in Ohio. The document reviews a survey of OhioLINK member libraries on their current authentication methods and technical support structures. It identifies challenges for members in considering new authentication procedures, such as costs, technical relationships on campus, and requiring technical expertise.

Flanagan - RA21 Improving Access to Scholarly Resources

Leahy - What can SAML/Shibboleth do for your institution?

Wenger Replacing IP Filtering: Challenges for Academic Libraries

This document discusses the challenges of using IP filtering for access to electronic resources in academic libraries. It notes that the traditional assumptions around IP filtering, such as static IP addresses and on-campus users, no longer apply in an environment with widespread use of mobile devices, virtual private networks, and proxy servers. The document proposes that libraries focus on authenticating users based on their institutional credentials rather than IP address in order to improve security and the user experience across all devices. It also stresses the importance of addressing privacy concerns, walk-in users, and gaining support from library and campus IT for transitioning away from IP filtering.

Hanson In Defense of the Proxy Server

The document discusses the benefits of using a proxy server for digital library resources. It argues that a proxy server (1) protects user privacy by aggregating usage data, (2) enhances security by allowing the library to control login credentials and monitor for compromised accounts, (3) provides business intelligence through analytics on resource usage to justify budgets, and (4) improves user experience, although more improvements are needed. The proxy server centralizes access management and usage logs which helps address privacy, security, and data collection needs for digital libraries.

Schwing Challenges to Successful Authentication Change

Hamparian - IP Authentication for STEM e-Content Access

Identity & Authentication Management - Judy Luther

The NEKLS LAN Initiative aims to improve library networks across the region. Currently libraries have diverse hardware that is difficult to manage. NEKLS has relied on open source solutions but is considering moving to enterprise solutions for better support, security, and documentation. They also need to start collecting WiFi usage statistics for the state and have unused E-rate funds available for network upgrades. Next steps include contacting NEKLS for help applying those funds through the E-rate program to implement a new regional network infrastructure.

White Manipulating Metadata to Enhance Access

What’s new in OpenText Legal Tech

OpenText

Intranet Presentation

renaglasser

An intranet is a private computer network within an organization that uses internet technologies to securely share the organization's information and systems. Intranets allow organizations to communicate and collaborate internally through tools like employee newsletters, project information, policies and procedures, and more. The main benefits of intranets are strengthened internal communication, faster sharing of information, and hosting unlimited internal resources. Potential downsides include expense of large intranets and inability to access resources remotely.

The Strategic Developer: a new role for Higher Education?

Paul Walk

The document discusses the need for a strategic developer role in higher education. Currently, developers are often seen as junior roles and not involved in strategic planning. This leads institutions to outsource development work without considering how to integrate systems. Using APIs, a strategic developer based internally could better customize remote services to meet local needs compared to external suppliers. The role would provide technical leadership to align technology with strategic goals and identify new opportunities through digital innovation, filling a gap similar to the CTO role in business. Bringing developers into senior positions would help institutions gain more value from technology investments.

Contributing to the pursuit of excellence, by Caroline Cooke

Jisc

The document discusses a technology strategy and infrastructure review that was conducted at AECC University College in 2017 by experts from Jisc. The review identified areas for strategic support and developed an IT strategy to embed digital learning and teaching. Key actions included stakeholder meetings, a skills audit, infrastructure review, and staff workshop. This led to a draft strategy, digital learning initiatives, and new staff and resources. Feedback indicated the review provided reassurance, confidence, and a clearer shared vision for digital transformation.

Blockchain Basics and Future Uses - Long

Sean Manion PhD

Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site

Eduserv Foundation

Athens is a single sign-on system used by over 4 million users in higher education and healthcare to access online resources from 180 providers. Shibboleth is an open source single sign-on system developed by Internet2 that supports secure exchange of authentication and attributes between identity providers and service providers using SAML. The UK Access Management Federation is a UK federation for education and research that uses Shibboleth and delivers a WAYF service and shared policy. OpenAthens provides an outsourced identity and access management solution that supports multiple standards and federations to help institutions participate in federations while maintaining access to Athens resources.

ICIC 2016: Improving the Pharmacovigilance Literature Screening Process. How ...

Dr. Haxel Consult

Screening scientific literature for the purpose of detecting adverse side effects of drugs is burdensome, yet essential. The discovery and retrieval of full-text journal articles is a necessary part of this process. Cursory screening of abstracts has been used to determine which journal articles require full-text reviews. And transactional purchases have historically been the only option for accessing the full-text for non-subscribed content when cursory reviews lead to in-depth review requirements. In February 2016, a new full-text article rental program was introduced to the drug safety market with the potential to enable a deeper screening of scientific journal content. In this session, Reprints Desk will present information related to new full-text article rentals, including an overview of how article rentals work and time-saving workflow options.

Kaseya Connect 2013: Kaseya Keynote

Kaseya

The document discusses managing new heterogeneous networks. It defines cloud service models from NIST including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). It also notes that classic IT service management processes are mature, while strategic processes lag behind. Additionally, it projects 26% annual growth in cloud-related jobs through 2015, with 1.7 million open jobs but only 2.7 million existing IT professionals in the US currently.

K Ziai Share Point At Ut

SAML protected resources: the theory and practice of granularity and manageme...

The document discusses SAML (Security Assertion Markup Language) and federated access management. It notes that while technical capabilities exist to provide more granular attribute data through SAML, in practice most identity providers only provide basic attributes like affiliation due to data protection concerns and a lack of demand from service providers. Overcoming this stable deadlock will require experimentation and agreement between identity providers and service providers on desirable and possible attribute sharing models from the bottom up in specific application areas.

Intranet for Library Services

Bhojaraju Gunjal

InterSystems presentatie: Making Sense of Unstructured Data

InterSystems Benelux

Applications of semantic web

Suresh Kumar Mukhiya

With increase in size of web, volume of information content is becoming huge resulting in difficult to search, access, manage and maintain. Creating machine processible semantic could decrease some of these problems. In this post, we will discuss some of the applications of semantic web as we discussed in earlier post. Before we dive into applications, lets see what are semantic web applications.

Access to Content via Link Resolvers

D Cornell Securing Share Point

This document summarizes common approaches to securing SharePoint deployments and identifies common blind spots. It discusses securing the infrastructure and using SharePoint's security features, as well as deploying add-on security products. However, it notes that custom software and data security are often overlooked areas that require additional focus. A comprehensive security strategy is needed to secure SharePoint deployments and address evolving risks.

OpenAthens Conference 2018 - Don Thibeau - OpenID Connect

The document discusses the OpenID Foundation, which develops open standards including OAuth, JWT, JWS, and OpenID Connect. It describes the Foundation's leadership and working groups, and how open standards enable interoperability, extensibility, and user control of privacy and security. It outlines how OpenID Connect is widely used and continues to expand through new profiles. The Foundation operates a certification program to promote high-quality implementations and drive adoption of OpenID Connect through self-certification.

OpenAthens Conference 2019: Simplifying the SSO User Experience: The RA21 ini...

Todd Carpenter, executive director, National Information Standards Organization. The RA21 Project has been working for the past two years to improve the user experience of access to subscribed resources. After having reviewed some initial pilot technologies, RA21 is ready to roll out its recommended practice and launch an ongoing service to support user identity management and individual access to content. The project is now entering a new phase, in which interested parties will form a consortium to provide ongoing maintenance, outreach support, and governance to the effort moving forward. Todd discusses what RA21 has accomplished, demonstrate the service, and provide an update on what is next for RA21.

MongoDB.local Sydney: The Changing Face of Data Privacy & Ethics, and How Mon...

MongoDB

Public concern for the safety of data is growing – not just in how criminals might use stolen data to commit fraud, but also in how personal data is used by the organisations we engage with. This is limiting growth in digital services, and damaging trust in government and enterprises. The EU's General Data Protection Regulation (GDPR) came into force in May 2018. Now it is influencing new privacy regulations around the world, governing how organisations collect, store, process, retain, and share the personal data of citizens. In this session, we explore the specific data management requirements demanded by new privacy regulations, digital ethics, and everyone's role in being conscientious stewards of customer data. We discuss how MongoDB can provide the core technology foundations to help you accelerate your path to compliance with new privacy demands.

What's hot

Access Lab 2020: FOLIO + OpenAthens integration

IOP Publishing - How we simplified user access

Northeast Kansas Library System

NEKLS LAN Initiative

White Manipulating Metadata to Enhance Access

What’s new in OpenText Legal Tech

OpenText

Intranet Presentation

renaglasser

The Strategic Developer: a new role for Higher Education?

Paul Walk

Contributing to the pursuit of excellence, by Caroline Cooke

Jisc

Blockchain Basics and Future Uses - Long

Sean Manion PhD

Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site

Eduserv Foundation

ICIC 2016: Improving the Pharmacovigilance Literature Screening Process. How ...

Dr. Haxel Consult

Kaseya Connect 2013: Kaseya Keynote

Kaseya

K Ziai Share Point At Ut

SAML protected resources: the theory and practice of granularity and manageme...

Intranet for Library Services

Bhojaraju Gunjal

InterSystems presentatie: Making Sense of Unstructured Data

InterSystems Benelux

Applications of semantic web

Suresh Kumar Mukhiya

Access to Content via Link Resolvers

D Cornell Securing Share Point

OpenAthens Conference 2018 - Don Thibeau - OpenID Connect

What's hot (20)

Access Lab 2020: FOLIO + OpenAthens integration

IOP Publishing - How we simplified user access

NEKLS LAN Initiative

White Manipulating Metadata to Enhance Access

What’s new in OpenText Legal Tech

Intranet Presentation

The Strategic Developer: a new role for Higher Education?

Contributing to the pursuit of excellence, by Caroline Cooke

Blockchain Basics and Future Uses - Long

Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site

ICIC 2016: Improving the Pharmacovigilance Literature Screening Process. How ...

Kaseya Connect 2013: Kaseya Keynote

K Ziai Share Point At Ut

SAML protected resources: the theory and practice of granularity and manageme...

Intranet for Library Services

InterSystems presentatie: Making Sense of Unstructured Data

Applications of semantic web

Access to Content via Link Resolvers

D Cornell Securing Share Point

OpenAthens Conference 2018 - Don Thibeau - OpenID Connect

Similar to LLoyd - Web proxy vs. Federated SSO: A Practical Guide

OpenAthens Conference 2019: Simplifying the SSO User Experience: The RA21 ini...

MongoDB.local Sydney: The Changing Face of Data Privacy & Ethics, and How Mon...

MongoDB

Remote Access Policy Is A Normal Thing

Karen Oliver

This document outlines an access control policy for a healthcare organization. It discusses the importance of access controls and audit controls for maintaining compliance with regulations like HIPAA. Authentication, authorization, and auditing are key components of access control policies. The policy also specifies that employees will only be granted the minimum level of access needed to perform their jobs and that inactive or terminated user accounts will have their access revoked in a timely manner. Role-based access control models and audit trails that track access to patient health information are important parts of the organization's compliance efforts.

Presentation security measure

mukarram522

The document discusses security issues related to digital libraries. It addresses six main concepts in a digital library: 1) content, 2) users, 3) functionality, 4) architecture, 5) quality, and 6) policy. For each concept, it outlines various security considerations. For content, it discusses integrity, access control, and digital rights management. For users, it discusses access control models including role-based access control. It notes security risks like denial of service attacks for functionality and the need to secure communication channels for different architectural models.

Smart Identity for the Hybrid Multicloud World

Katherine Cola

1) Traditional identity and access management programs are facing pressures from increasing complexity, focus on the user experience, and new regulations. 2) Smart identity is needed to securely connect every user, API, and device to every application in and outside the enterprise in today's hybrid multicloud world. 3) IBM's identity and access management solutions include adaptive access to balance security and user experience, identity and privileged access management analytics to identify risks, and decentralized identity to enable user-owned digital identities.

[Workshop] Digital Transformation: Breaking Down Boundaries for Greater Conne...

WSO2

Blockchain and Cybersecurity

gppcpa

Why IAM is the Need of the Hour

Techdemocracy

To tell that - IT environment has shifted, and this would be a huge understatement. We just see this happening around us. Yet to say, the transition is not necessarily a bad thing. Like in other technology organizations, Identity governance is in the process of change. We can see that this can be a positive transformation; as the way it allows us to be more flexible and stronger. Visit : https://techdemocracy.com

Respect Connect: From Social Login to Personal Cloud Login

drummondreed

Seattle Tech4Good meetup: Data Security and Privacy

Sabra Goldick

12/7/2016 - It's difficult to avoid news stories about hacks and misused databases. For our Q4 meetup, we will discuss what nonprofits can do to protect their systems and data. Each panelist will outline best practices for protecting your own data as well as constituent data. PANELISTS * Mary Gardner, Chief Information Security Officer at Seattle Children's Hospital. * Ralph Johnson, Chief Information Security and Privacy Officer, King County * Peter Kittas, Web and IT Consultant, Revelate LLC

Security On The Cloud

Tu Pham

This document summarizes security best practices for cloud computing. It discusses how security in the cloud requires a shared responsibility model between the cloud provider and customer. It recommends implementing least privilege access, defense in depth strategies like isolating environments and regular patching, and knowing your system through strong authentication and authorization. Specific best practices covered include using multi-factor authentication, limiting exposed services, expiring unnecessary permissions, and preventing lateral movement between hosts. The document promotes keeping systems simple and securing the full technology stack.

A Guide To Single Sign-On for IBM Collaboration Solutions

Gabriella Davis

Single sign-on, single identity and even password synchronization—in this session, we will take you through all the options available to minimize or eradicate logins across IBM's Collaboration Solutions (ICS); whether it is a Domino web server, IHS, Notes client, Traveler, Sametime, Connections or Verse, on-premises or cloud. The discussion will cover security certificates, password synchronization, IWA, SPNEGO and SAML Federation. We will explain what you can (and can't) do, and how to do it. Presented at Think 2018

Comprehensive Analysis of Contemporary Information Security Challenges

sidraasif9090

Identity_and_Access_Management_Overview.ppt

mamathajagarlamudi2

This document provides an overview of identity and access management. It discusses the growing complexity of identity management with the rise of the internet and digital identities. It highlights trends like increasing threats, rising regulation, and the need to manage identities across multiple systems. The document introduces the idea of an identity metasystem based on open standards to help address these issues. It outlines some of the key components, roles, and laws around building an identity metasystem that respects privacy and can scale.

Microsoft Office 365 Security and Compliance Updates

David J Rosenthal

If your business has legal, regulatory, and technical standards to meet for content security and data use, you're in the right place. You can also use Office 365 security and compliance features if your business has specific security requirements for controlling sensitive information. In this section, you can also find out how Office 365 uses encryption and other security technologies to protect your data.

Importance of Identity Management in Security - Microsoft Tech Tour @Towson

Adam Levithan

The document discusses identity and content security for cloud services like Office 365. It describes the evolving threat landscape where data breaches are increasingly common. It then outlines various approaches Microsoft takes to secure user identity, access to applications and content, device management, and auditing and monitoring in its cloud services. These include multi-factor authentication, conditional access policies, encryption of data in transit and at rest, activity monitoring and alerts, and mobile device management capabilities. The document aims to help organizations understand how to translate on-premises security practices to the cloud to properly secure user identity and regulate access to content.

How to Overcome Network Access Control Limitations for Better Network Security

Cryptzone

The document summarizes the limitations of Network Access Control (NAC) solutions for securing networks and controlling access in modern IT environments where resources are distributed. It argues that a Software-Defined Perimeter (SDP) model provides better security by establishing encrypted, individual connections between each user and only the specific applications and resources they are authorized to access, rather than relying on trust-based access inside the network perimeter. Key benefits of SDP include zero-trust authentication, dynamic identity-based policies, encryption of all traffic, simplicity, and consistency across cloud and hybrid environments.

5 Security Questions To Ask A Cloud Service Provider

Tyrone Systems

B2 - The History of Content Security: Part 2 - Adam Levithan

SPS Paris

We're currently living Part 1 of the Content Security Journey and now we've reached a critical juncture where technologies have evolved to support Part 2. Our journey to reach the Secure Productive Enterprise (SPE) includes understanding users, their roles, what devices they're working on, and how to protect that content at rest and flying across the network. Based on real-life use cases in the Aerospace & Defence and Life Sciences industries you will walk away with an understanding of the technologies available to you, and a clear way to communicate with business stakeholders.

Let the trust evolve itself

Sanjeev Azad

Similar to LLoyd - Web proxy vs. Federated SSO: A Practical Guide (20)

OpenAthens Conference 2019: Simplifying the SSO User Experience: The RA21 ini...

MongoDB.local Sydney: The Changing Face of Data Privacy & Ethics, and How Mon...

Remote Access Policy Is A Normal Thing

Presentation security measure

Smart Identity for the Hybrid Multicloud World

[Workshop] Digital Transformation: Breaking Down Boundaries for Greater Conne...

Blockchain and Cybersecurity

Why IAM is the Need of the Hour

Respect Connect: From Social Login to Personal Cloud Login

Seattle Tech4Good meetup: Data Security and Privacy

Security On The Cloud

A Guide To Single Sign-On for IBM Collaboration Solutions

Comprehensive Analysis of Contemporary Information Security Challenges

Identity_and_Access_Management_Overview.ppt

Microsoft Office 365 Security and Compliance Updates

Importance of Identity Management in Security - Microsoft Tech Tour @Towson

How to Overcome Network Access Control Limitations for Better Network Security

5 Security Questions To Ask A Cloud Service Provider

B2 - The History of Content Security: Part 2 - Adam Levithan

Let the trust evolve itself

More from National Information Standards Organization (NISO)

Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"

Benner "Expanding Pathways to Publishing Careers"

Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...

Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"

Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"

Mattingly "AI and Prompt Design: LLMs with NER"

Mattingly "AI & Prompt Design: Named Entity Recognition"

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"

Mattingly "AI & Prompt Design: The Basics of Prompt Design"

Bazargan "NISO Webinar, Sustainability in Publishing"

Rapple "Scholarly Communications and the Sustainable Development Goals"

Compton "NISO Webinar, Sustainability in Publishing"

Mattingly "AI & Prompt Design: Large Language Models"

Hazen, Morse, and Varnum "Spring 2024 ODI Conformance Statement Workshop for ...

Mattingly "AI & Prompt Design" - Introduction to Machine Learning"

Mattingly "Text and Data Mining: Building Data Driven Applications"

Mattingly "Text and Data Mining: Searching Vectors"

Mattingly "Text Mining Techniques"

Mattingly "Text Processing for Library Data: Representing Text as Data"

Carpenter "Designing NISO's New Strategic Plan: 2023-2026"