UKSG webinar: Authentication technology update: RA21 and OpenAthens with Josh Howlett, Jisc and Phil Leahy, Eduserv

Editor's Notes

• #4: This is the impact of OpenAthens single sign-on software – across the globe. Publishers can add their content to a user’s existing portfolio instead of existing within its own silo. We’ve got ten years experience of developing Shibboleth and SAML software which is used by some of the world’s largest content providers including Wolters Kluwer Health, New Scientist and the FT. The OpenAthens Federation is the trust authority which allows content providers and their customers to connect to each other without requiring technical setup each time.
• #5: Here is a list of the access management tools typically used by organisations subscribing to external content. It’s been pointed out to me that the shortfalls of current authentication technologies were well covered at the UKSG conference earlier this year, but there have already been several questions submitted along those lines so I’m going to try and find the sweet spot between that and current technologies and future opportunities which are more interesting. Easily shared and relies on security through obscurity Easily shared and relies on security through obscurity How long have you got? (“Developments in proxy servers”, “Comparison between OA and Library Proxy”, “How it works and cost comparisons with EZProxy etc”, “Comparison with EZproxy”) Identifies only the organisation Cannot identify offenders who breach license terms No meaningful statistics Have to maintain a list of IP addresses with every supplier Remote access requires VPN or additional proxy Personalisation either non-existent or requires separate registration Expensive to implement and manage, inefficient single-use peer-to-peer connections
• #6: This is a typical federated user journey that our software helps deliver. So – we have an end user browsing the web looking for academic or scholarly content And all the time they are hitting barriers and being asked for a username and password They get frustrated But – in comes OpenAthens! With just one username and password, the patron can access an array of online resources– and crucially move between resources on different publisher sites
• #7: Patrons become more mobile – fewer ties to the physical library building, study is anywhere and everywhere Personalization is expected – we’re all used to the Amazon or Netflix experience and at least in the UK, there is an expectation that library resources should behave in the same manner – saved searches, recommended favourites etc. Multiple devices are used for study – access to library content needs to be consistent and seamless regardless of the device used
• #8: And for librarians… More tech services to manage – VLE, Discovery, Website, Proxy Server Multiple tech services must integrate – single sign-on is key Monitor and report on E-library engagement – who’s accessing our services, how often and from where?
• #9: Here’s a typical scenario: when a new user enrols at a university or starts work at a new job, that organisation will have a process which automatically grants access to the internal and external resources they need to participate in their course or do their job. That process applies the appropriate permissions and controls to ensure they can only access what they entitled to and will typically include access to their nearest printer, the network drives for access to the documents they need, a VLE, discovery tools and/or LMS and increasingly, their organisation’s subscription content – all with a single username and password. Most popular choice across all markets. OpenAthens is part of an ecosystem and our docs help organisations integrate different components
• #10: Multi-country misuse Audit logs now available in OpenAthens (“How can the usage (not just login) statistics be captured?”)
• #11: The options available to subscribing organisations on how to participate in an access management federation are better than ever. “The ability to restrict access to sub-groups within the University” “How is the access by temporary guests handled by OpenAthens?” “Configuring access for overseas/partnership institutions” “Authentication for partnerships - based in the UK and abroad” OpenAthens offers these connection options so whatever your organisation has in place, it’s likely that OpenAthens can help an organisation use Shibboleth or SAML because…
• #12: …we also offer tools which allow self-built interfaces. Offers maximum flexibility – but it requires developer effort at the organisation. “What would be the best means of authentication to use for a small institution with limited resources to access eBooks?”
• #13: So the fact that… It is the nature of federated access management in general and OpenAthens products in particular to use a standards based approaches wherever possible. This allows true SSO with a number of apps such as…
• #14: This shows a number of common apps our customer use OpenAthens to integrate with. OpenAthens plays well with all discovery services “We are moving to Alma Summer of 2018 I wonder which authentication to use, EZ Proxy or Open Athens for the link resolver”
• #15: But how can all that happen in a privacy-protecting way? Earlier on I said personalisation is now expected from a range of services such as Amazon or Netflix. There is a view that: without personalisation, none of the benefits of a modern digital service are available, i.e. more engagement, attracting users to return, learning more about their needs and tailoring products accordingly. That level of detail helps everyone. It helps content providers segment their products and direct it at particular users, and by providing greater transparency of how collections are being used, it helps an organisation make more informed purchase decisions. But… “a (happily very vocal) majority who are unwilling to compromise user privacy for the sake of some assessment metrics” Do users now expect that from library services too? Some librarians are concerned about the privacy issues this raises, and they see IP recognition as the better option precisely because it’s anonymous. Take a look at this image sent to me during a dialogue I had over Twitter with a US librarian (although this view is not exclusive to the US). This is a detailed user consent page which explains which attributes about this user were going to be passed to the content provider. [description] If the user did not provide their consent, they were not permitted to see the content.
• #16: Would there be more confidence around privacy if IdPs took a closer look at their attribute release policies, and content providers were more circumspect about the attributes they requested? Many users will submit this same level of personal information on a form they’re presented with the first time they access a service. Is that substantially different from a Netflix or Amazon subscription? However, if a content provider receives a narrower set of attributes which has no identifying information but which allows the user to personalise the experience, e.g. via saved searches and alerts, would that be sufficient to satisfy the content provider? This is the functionality OpenAthens makes available to organisations so they can control attribute release quickly and easily. And we’re making similar products available to content providers so they can leverage the benefits of Shibboleth and SAML without having to become experts in that technology, so here’s a brief word about that.
• #17: But there is an alternative. It is now possible to derive all the benefits which SAML brings without having to deploy it. As I said earlier, OpenAthens has ten years’ experience of developing SAML software and having seen the issues which I just described for some time, we decided to take a new approach and developed OpenAthens Cloud. The only technology a content provider needs to deploy is OpenID Connect – everything else is managed in our web dashboard. OpenID Connect is supported by key industry players like Symantec and Microsoft. It's a newer technology than SAML but unlike SAML, it's extensible to web-based native apps as well as mobile applications.
• #18: SAML is Enterprise – connections between identities and services within a scope Old tech XML, SOAP – mid 2000s Supports ’trusted relationships’ Formation of communities OIDC is Multi-billion user services JWT/ REST, Developer friendly Mobile- native Self-asserted trust
• #19: I’m sure many of you will be familiar with seeing Google login options on a number of web services – that process uses OpenID Connect and as you can see, one of the benefits is a consistent login experience.
• #20: And anytime you see a PayPal payment option on a website, it is using OpenID Connect to let you login via PayPal. Let me be clear: OpenAthens Cloud alone won't let a content provider add Google and PayPal login options to their products. But if that is on their wishlist, with OpenID Connect as the foundation that task would be easier.
• #21: Here’s something else we’ve recently released for content providers, but it’s not something they can buy – any publisher registered in any Shibboleth or SAML access management federation can use it. Wayfinder is the OpenAthens Discovery Service which any publisher can deploy: Uses SAML attributes for scalability Uses domain hints and geolocation – UKFed are already promoting increased adoption of domain hints
• #23: CASA = Context-Aware Scalable Authentication. Some big players are participating including HighWire – but based on Google Scholar usage.
• #24: BeyondCorp had the stated goal that no Google employee should need to use a VPN. “We infer device trust based on a number of signals, some observed (last security scan, patch level, installed software, etc.) and some prescribed (assigned owner, VLAN, etc.). To handle this complexity, our inventory teams follow an automated provisioning process to ensure that new hire devices are correctly trusted at first login.” Contextual authentication is increasingly being talked about ------------------------- Contextual authentication takes into account the context of a service and deploys appropriate authentication challenge Encompasses multi-factor methods, where appropriate Intelligent IAM systems can change context dynamically (eg. location or suspicious activity) Authentication factors ---------------------- Trusted device Location/network (IP) Username/password SMS, push notification, OTP app, YubiKey Previous activity Reduce friction of authentication --------------------------------- Objective of contextual authentication is to reduce friction Misunderstanding of multi-factor is that is makes authentication more complex – inappropriate deployment No user-interaction unless necessary
• #25: SAML is Enterprise – connections between identities and services within a scope Old tech XML, SOAP – mid 2000s Supports ’trusted relationships’ Formation of communities OIDC is Multi-billion user services JWT/ REST, Developer friendly Mobile- native Self-asserted trust Bottom line: with 10-12 years of investment in Shibboleth and SAML by content providers and subscribing organizations around the world, it’s not going anywhere soon. - My impression is that this is still pretty early days. There is a draft specification but it seems to be fairly early to me. There were two camps, one wanted existing OpenID implementations to work pretty much unmodified with the new spec. Others saw the need for more complexity in implementations (though there was recognition that this was a problem). I suspect some compromise will be reached.   - There is definitely a desire to learn from 10 years of SAML federations and make notable improvements, like not shipping around massive blobs of XML. Hopefully the standard will be much simpler and inline with modern APIs.