What is federated single sign-on?
•Download as PPTX, PDF•
0 likes•20 views
Heard about federated single sign-on but not sure what it is, how it works or what the benefits are? Our Back to Basics webinar explains in a simple, easy to follow presentation.
Recommended
Recommended
More Related Content
Similar to What is federated single sign-on?
Similar to What is federated single sign-on? (20)
More from OpenAthens
More from OpenAthens (20)
Recently uploaded
Recently uploaded (20)
What is federated single sign-on?
- 1. Back to Basics: What is federated single sign-on? 25 January 2023 Christos Skoutas, senior business development manager, OpenAthens
- 2. 2 Housekeeping 1. We are recording 2. Post speaker questions in the Q&A 3. Post general queries in the chat 4. Live transcript is on
- 3. Back to Basics: What is federated single sign-on? 25 January 2023 Christos Skoutas, senior business development manager, OpenAthens
- 4. 4 What we’ll cover • Introduction • What technologies are used in the library/publishing space? • What is federated single sign-on technology? • What are the benefits of this type of technology for users/libraries/publishers • Questions
- 5. 5 Authentication technologies What’s happened in the last 25 years?
- 6. 6 What is IP recognition? Photo by Clay Banks on Unsplash
- 7. 7 Proxy services Photo by Devon Divine on Unsplash • IP access outside the campus is not available • Proxy services deal with off-campus access dilemma • IP address is passed to the publishers
- 8. 8 Covid-19 accelerated remote access to resources Institutions update their digital infrastructure to offer remote learning to their patrons Emphasis on technology to maximize online and hybrid learning Remote access to library resources increased massively
- 9. 9 The problem with IP recognition Photo by JESHOOTS.COM on Unsplash • Authentication and authorization • User experience • Maintenance • Security
- 10. 10 Increased security risks during Covid-19 pandemic https://www.theguardian.com/world/2020/nov/22/hackers-try-to-steal-covid-vaccine-secrets-in-intellectual-property-war https://www.fiercepharma.com/pharma/not-just-astrazeneca-north-korean-hackers-targeted-5-other-covid-drug-developers-wsj “In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19.” Tom Burt, Corporate Vice President, Customer Security & Trust, Microsoft Not just AstraZeneca: Hackers targeted 5 other COVID-19 drug developers, vaccine cold chain suppliers Wall Street Journal Academic institutions are not well-resourced and defended, and researchers have to be educated about the risks The Guardian Hackers ‘try to steal Covid vaccine secrets in intellectual property war’ The Guardian
- 11. 11 Proxy services: a threat to researchers and organizations • Sci-Hub and other bad actors exploit the sentiment around open access to research articles • >90% of compromise is through proxy services Source: Elsevier data: April 2019-June 2020 https://www.youtube.com/watch?v=KqVo2Pj06dE
- 12. 12 What is federated authentication and single sign-on?
- 13. 13 User journey without single sign-on Password 1 Password 1 Password 1 Password 1 Password 1 Resource 1 Resource 2 Resource 3 Resource 4 Resource 5
- 14. 14 User journey with single sign-on Password 1 Resource 1 Resource 2 Resource 3 Resource 4 Resource 5
- 15. 15 How federated single sign-on works I want to access an article Organization, do you know Jane? Hi resource, yes Jane is a student here
- 16. 16 The concept of federated identity management • More secure • Data encryption is standard • Individual accountability
- 17. 17 Identity federations • Shared trust network • Standards based (SAML protocol) • Centrally managed
- 18. 18 What are the key benefits? • Better user experience • More secure • Cost efficient
- 20. 20 User journey patterns “Users have kind of pattern…they start in Google to get an idea of the keywords they will need and the scale of the queries they may want to do and then, they go to more refine resources like discovery tools, library catalogues, google scholar or specific disciplines databases” Caroline Gauld, University of Melbourne (https://www.youtube.com/watch?v=SXCi515julE) “People discover articles through search around 45% of the time. 55% of the time they are doing something else. However, discovery via search has increased over time” How Readers Discover Content in Scholarly Publications 2021, Gardner, T & al, Renew Consultants “Discovery is not as simple as ‘novice’ vs. ‘expert’(…) A professor in one discipline may, for example, use Wikipedia or basic Google searches to familiarize themselves with a new topic just as a new student might” Resource Discovery@ The University of Oxford, Madsen, C & al, Athenaeum21 Consulting Research
- 21. 21 Federated single sign-on offers better user experience
- 22. 22 Federated single sign-on offers better user experience
- 23. 23 Federated single sign-on offers better user experience
- 25. 25
- 26. 26
- 27. 27 More secure
- 29. 29 Take aways from today • Future-proof your authentication systems • Secure, resilient and scalable solution in the cloud • Improves user experience • Saves you time and money
- 31. 31
Editor's Notes
- Thank you Jane. Hello everybody and welcome to our webinar. Here is what I would like to cover today. For the people who don’t know me my name is Christos Skoutas and I have been working for OpenAthens for a few years now. I would like to start the presentation with the main ways users have been accessing e-resources the last few years. Then, I will dive into what federated Single Sign-on is, how it came about, why it is important, and what benefits it brings to libraries, publishers, and users. At the end we will have some time for questions and further discussion.
- Now, let’s start with what technologies users have been using to access content? When we say users, we mean students/researchers/professors, anybody who needs access to subscribed content online. What we mean by subscribed content is electronic journals/e-databases/ebooks, etc. IP (Internet protocol) recognition is the most widely used technology and it goes back to 1974 as we can see here. Then in the 90s we had other technologies like VPNs, Athens (as we were called back then) and EZproxy. In 2002 a protocol called SAML (SAML stands for Security Assertion Mark-up Language) was introduced, and more recently other protocls like OpenID Connect came about.
- IP recognition is an access method that was developed in the early 90s when almost all computers were located in the library. Back then we didn’t have any smartphones and very few people worked or studied remotely. IP addresses back then were static.
- When technology advanced and mobile devices like laptops/tablets/mobile phones came about, access outside the campus wasn’t available. That’s when proxy services came in to solve that problem. What IP Proxy services do is that they allow end users to appear to a publisher/content provider as if they were within the physical IP range of the subscribing institution despite the fact they were off campus. Many IP addresses are dynamic and constantly changing over time. The increased use of laptops/smartphones/tablets made the IP recognition model unable to accommodate remote users. To solve this problem institutions started using proxy servers and VPNs. Proxy servers and VPNs aggregate individual user sessions behind a single institutional IP address. Since this address is within the range registered with the publisher, the aggregated connections are accepted.
- Now, on top of the technological changes that happened the last 25 years, Covid accelerated this trend and highlighted the need for reliable systems to allow an increased number of remote users to access library resources. During the last 3 years, offering uninterrupted and secure access to e-resources to users based anywhere has become paramount.
- Authentication and authorization. These words, authentication and authorisation can be tricky. Authentication is when someone asks the question tell me who you are. You need to prove your affiliation with the organisation. Then, the publisher will make an authorisation decision based on the information that is sent from the institution to the content provider. Authorisation answers the question what you can access. The IP recognition model is constructed on the assumption that an IP address reliably indicates a user’s physical location. This was true back in the 90s but it isn’t now. The model assumes a physical location can be relied on to identify a legitimate authorised user. That means the model conflates IP addresses with location and identity. This is the reason I refer to this model as IP recognition and not IP authentication. The system works by recognising an IP address, not by authenticating an individual user. Regarding User experience. IP recognition requires services like proxy servers or VPNs which require remote users to login to a library portal first, then navigate to online content. This is not a good experience since users cannot access content directly on publishers’ websites. Maintenance. IP recognition is not easy to maintain. If the subscribing institutions IP address ranges change, then these changes must be coordinated with potentially hundreds of publishers. I experienced this problem first hand when I was working for publishers before joining OpenAthens. There were many times that libraries contacted me to update their IP address urgently because their students didn’t have access due to the changing of IP addresses. Another thing we are hearing from librarians is that it is very time consuming to manage these proxy servers. This doesn’t allow them to spend time for more important things such as helping users with their research, looking to purchase more content or replace the resources they subscribe to, etc. In terms of Security IP recognition is highly insecure. IP addresses can be easily spoofed and the institutional networks can be penetrated for illicit downloading. Since IP recognition has no facility for authenticating and authorizing users it’s highly vulnerable for misuse.
- We also saw that hacking attempts were increased during Covid the last 3 years since hackers targeted research institutions on a global scale.
- Research by one of the biggest publishers found out that more than 90% of compromise is through proxy services. When users find it difficult or complicated to access content they go to places like Sci-Hub. For anyone who doesn’t know what Sci-Hub is, it is an illegal site that gets users to share institution login credentials for access to scholarly research platforms. They steal and openly share login credentials on the dark web and COVID-19 has accelerated the need for increased remote access, increasing security risk
- As we saw on the timeline slide earlier there is a protocol called SAML (Security Assertion of Mark-up Language) that was designed for authentication and solves some of the problems the IP recognition causes. But before we talk about SAML and federated authentication I would like to clarify what we mean by single sign-on.
- Without a single sign-on system, users need multiple usernames and passwords to access e-journals/e-databases/e-books and other library systems. This is not ideal especially in an online environment where users’ attention span is very short.
- Single sign-on solves that problem and offers a much better experience. With one username/password users can access multiple resources as you can see in the diagram above.
- As we saw previously SAML started in 2002 and it was designed specifically for authentication –SAML certify users identity. Also, SAML is a standard that is used to exchange information (what we call attributes in SAML) about users with the resources they are accessing while keeping their login details private. SAML is well-established and widely-deployed and uses industry standards and best-practice to digitally sign and encrypt messages to prevent fraudulent use or interception by attackers. Also, most SAML-based systems, allow granular control over what attributes are exchanged with particular resources. This makes SAML not only a more secure alternative to IP recognition but also a more flexible framework for Single Sign-On for many different scenarios
- The concept of federated identity management was invented in the research and academic community more than 20 years ago. Alongside the technology, a model for building a fabric of trust has been established, based around the idea of identity management federations. To join a federation, which are typically organized geographically, identity providers and service providers must agree to a set of practices and policies. You have an institution on one side, and a content provider/publisher on the other side.
- Federations play an important role in ensuring that standards are being met by Identity Providers and Service Providers alike and that we can trust each other. Federated access is the concept where registered publishers or service providers and institutions put their metadata in the same place. This way publishers and institutions do not need to establish lots of one-to-one connections that they have to maintain. We talked about SAML being the international standard for authentication, but why we need federations in the first place? Can’t we just use SAML? Firstly, SAML is not a plug and play technology. You could task 5 developers to build a set of SAML tools and they would not all operate the same way. Federations were created so that everyone involved adheres to the same policy framework, and technical infrastructure and standards. The key thing about SAML in a federated environment is the deploy once reused multiple times model. It is fully scalable. So, an institution can connect to any publisher that is a member of its federation but more importantly a publisher can deploy once and connect to any participating institution within that same federation.
- We noticed that demand from libraries around the world for a secure and modern single sign-on system has increased substantially the last few years. Federated authentication came to the front since it meets lots of libraries and publishers’ criteria. Let’s have a closer look at the specific benefits of federated single sign-on. I would like to start with how the user experience looks like.
- Federated single sign-on offers a more seamless access especially for remote users.
- Things have changed especially the last few years. Access to library resources from anywhere and on any device has become imperative. Also, products and services such as Google/Netflix/Amazon/Facebook have redefined users’ expectations. Research shows that users nowadays start their journey on Google or Google scholar rather than from the library’s portal. That creates all sort of problems especially if libraries rely on IP recognition to allow access to their subscribed e-resources.
- With federated single sign-on users are able to start their search on google or Google scholar and access the content they are looking for with a few clicks. The screenshot here shows that particular scenario. The user looks for an article on Google scholar.
- When they find that article they click on the link that can take them to the publisher’s website.
- And on the publisher’s website they can access that article via their institutional login button as we can see. It’s a very easy process and one that users are familiar with since it resembles similar patterns when users try to access other services on internet. With IP recognition the user has to start their journey on the library’s portal, which is not ideal since we saw previously that a substantial percentage of users start their research on Google or Google scholar. The increase of remote users due to the pandemic the last 3 years highlighted this functionality and the benefit federated Single Sign-on brings to the end users.
- Moving on I would like to delve into how federated single sign-on can benefit libraries. Talking to librarians from different parts of the world we can see that they face challenges when they are looking into what access systems they need to implement. Offering their users the best experience when they access library e-resources is very important. We saw in the previous slide how this is achieved by using a federated single sign-on system. Another challenge librarians face is the maintenance of IP addresses/proxy servers. Very often we hear that libraries have one person working full-time to manage their proxy server. I was in India back in September and a librarian from an academic institution was telling me that because their IT department changed their IP addresses she had to contact all the publishers they subscribed to every year so that they update their system with the new IP addresses. She said that this was very time consuming and not a good use of her time. In terms of efficiency and cost, SAML is a more stable technology and the most modern authentication system available. The ongoing maintenance required is low while a proxy system requires regular, ongoing maintenance as resources change and proxy configurations need updating. Now, some people may wonder that’s fine, but why can’t we use one to one SAML connections?
- I included a diagram here to show how it looks when institutions use 1:1 connections. 1:1 connections require more technical involvement to set up and maintain. Libraries that are non-technical/or lack the resources/man power, they need the support of their IT team to set up and maintain direct SAML connections.
- The concept of federated authentication reduces the need for one to one connections. In practical terms what happens for example with OpenAthens federation is that we manage all the connections in the Federation so if something needs to be updated (say a security certificate from a publisher) then we’re able to work with the publisher to have that work completed, with the minimal amount of impact. A single change is made centrally and all Federation members benefit, rather than each library managing their own connections and fixing things independently.
- Regarding security, IP addresses are easier to spoof while SAML provides a strong set of security tools & policies. With SAML, unauthorised activity is identified early, and user account is blocked. Also, access for other users is not impacted in contrast with IP recognition in which publishers block IPs and users, and an entire university could be without access for hours or even days. We had examples of universities that had incidents every week when they were using a proxy solution and that was one of the reasons they moved to OpenAthens. Federated authentication also preserves user privacy by using persistent opaque identifiers which can only be decoded by the subscribing institution.
- We talked how a federated Single Sign-on system can help users and libraries. But what about publishers? Publishers have been adopting federated authentication the last few years for a few reasons: Firstly, publishers want users to be able to get to their content from anywhere on any device seamlessly. Another thing publishers like about federated authentication is that it’s more secure than IP and more suited to protect their content. Now, you may ask, that’s ok but why we don’t use SAML one to one connections or what we call bilateral connections? The reason is that 1-1 connections lead to higher overheads. They require more technical involvement to set up and maintain direct SAML connections as we mentioned previously. Publishers need to liaise with the library and IT team with every library customer that needs a 1:1 SAML connection. This task is technical and very time consuming. Any changes to certificates or metadata can disrupt services for library customers. And any disruption to service could result in poor relationship with library customer and their patrons.
- I would like to end the presentation with some of the things I would like you to take from this talk today. Federated authentication is the best technology we have at the moment and it looks like it will be with us for the next few years. Publishers and libraries all around the world are moving away from IP recognition and the pandemic accelerated this trend the last 3 years. Federated single sign-on is based on a robust reliable infrastructure that improves the user experience within a highly secure environment.
- Thank you very much and I think we have some time for questions. Jane, do we have any questions
- Monday 20 and Thursday 23 March 2023, online.