OpenAthens is an access management system that helps over 2,200 organizations in 48 countries provide access to hundreds of thousands of journals, databases, and ebooks for over 4 million end users. It uses various authentication methods including vendor-supplied credentials, IP recognition, and federated access management. OpenAthens is updating its technologies to address changing user needs like mobile access and personalization. It aims to provide secure access while maintaining user privacy and allowing for attribute release to content providers when acceptable. OpenAthens also discusses integrating with applications using SAML and OpenID Connect, and how new technologies may provide new opportunities.
2. www.openathens.org
Coming up
• The access management toolkit
• Security, privacy and personalisation
• What opportunities are new technologies bringing?
• How OpenAthens helps organisations and their content
provider suppliers
3. www.openathens.org
Helping over 2,200 organisations
in 48 countries, enable access to
hundreds of thousands of journals,
databases and ebooks for over
4 million end users.
8. www.openathens.org
What is local authentication?
• Uses existing usernames and passwords, typically held
in Active Directory
• Same account used for ‘local’ and external systems
• VLE
• Google Apps / Office 365
• OpenAthens
• Reduces administration
• Reduces user queries
9. www.openathens.org
Security is paramount
• Authentication within Federations uses SAML
• Data encryption comes as standard
• Individual level accountability
• Permission setting features – easier to comply with
restricted content licences
• Authentication servers monitored for misuse
11. www.openathens.org
Build against an API
• Log your users into the system based on credentials
stored in any system you can gain programmatic access
to
• Great when you cannot use other connection types
12. www.openathens.org
Connecting to SAML applications
• OpenAthens can interact with many Apps
• Better overall experience for end users
• ‘True’ single sign-on
14. www.openathens.org
Is user privacy at risk?
• SAML encrypts data by default…
• …but is that sufficient?
• personalisation requires that content providers know
something about a user…
• …what is acceptable?
3l3dfaspfr96k36vcsj6bjl6r8
https://twitter.com/lisalibrarian/status/927534622799548416
16. www.openathens.org
• Benefit from SAML without installing it
• OpenAthens Cloud offers the same benefits
• OpenID Connect is the hook…
• …but what is OpenID Connect?
OpenAthens Cloud
22. www.openathens.org
Google Scholar CASA
“CASA builds on Google Scholar’s Subscriber Links program which
provides direct links in the search interface to subscribed collections for on-
campus users. With CASA, a researcher can start a literature survey on
campus and resume where she left off once she is home, or travelling, with
no hoops to jump through. Her subscribed collections are highlighted in
Google Scholar searches and she is able to access articles in exactly the
same way as on campus.”
Users must access on-campus at least every 30 days to maintain off-
campus access.
https://home.heinonline.org/blog/2017/09/casa-en-nuestra-casa-casa-in-our-house/
23. www.openathens.org
BeyondCorp at Google
• Principles
• Connecting from a particular network must not determine
which services you can access.
• Access to services is granted based on what we know about
you and your device.
• All access to services must be authenticated, authorized and
encrypted.
https://cloud.google.com/beyondcorp/
26. www.openathens.org
Phil Leahy
OpenAthens Service Relationship Manager
phil.leahy@eduserv.org.uk
+44 (0)1225 474302
Any questions?
What does it take to run an access management
federation?
http://bit.ly/2AWSUUz
OpenAthens Cloud uses OpenID Connect
http://bit.ly/2y3pZz6
27. Contacts
Josh Howlett, Head of trust and identity, Jisc
Josh.Howlett@jisc.ac.uk
Phil Leahy, OpenAthens Service Relationship Manager
phil.leahy@eduserv.org.uk
Tasha Mellins-Cohen, Director of Publishing, Microbiology Society
t.mellins-cohen@microbiologysociety.org
Feel free to e-mail your questions and look out for the slides on
uksg.org/webinars/authentication
Editor's Notes
This is the impact of OpenAthens single sign-on software – across the globe. Publishers can add their content to a user’s existing portfolio instead of existing within its own silo. We’ve got ten years experience of developing Shibboleth and SAML software which is used by some of the world’s largest content providers including Wolters Kluwer Health, New Scientist and the FT.
The OpenAthens Federation is the trust authority which allows content providers and their customers to connect to each other without requiring technical setup each time.
Here is a list of the access management tools typically used by organisations subscribing to external content. It’s been pointed out to me that the shortfalls of current authentication technologies were well covered at the UKSG conference earlier this year, but there have already been several questions submitted along those lines so I’m going to try and find the sweet spot between that and current technologies and future opportunities which are more interesting.
Easily shared and relies on security through obscurity
Easily shared and relies on security through obscurity
How long have you got? (“Developments in proxy servers”, “Comparison between OA and Library Proxy”, “How it works and cost comparisons with EZProxy etc”, “Comparison with EZproxy”)
Identifies only the organisation
Cannot identify offenders who breach license terms
No meaningful statistics
Have to maintain a list of IP addresses with every supplier
Remote access requires VPN or additional proxy
Personalisation either non-existent or requires separate registration
Expensive to implement and manage, inefficient single-use peer-to-peer connections
This is a typical federated user journey that our software helps deliver.
So – we have an end user browsing the web looking for academic or scholarly content
And all the time they are hitting barriers and being asked for a username and password
They get frustrated
But – in comes OpenAthens!
With just one username and password, the patron can access an array of online resources– and crucially move between resources on different publisher sites
Patrons become more mobile – fewer ties to the physical library building, study is anywhere and everywhere
Personalization is expected – we’re all used to the Amazon or Netflix experience and at least in the UK, there is an expectation that library resources should behave in the same manner – saved searches, recommended favourites etc.
Multiple devices are used for study – access to library content needs to be consistent and seamless regardless of the device used
And for librarians…
More tech services to manage – VLE, Discovery, Website, Proxy Server
Multiple tech services must integrate – single sign-on is key
Monitor and report on E-library engagement – who’s accessing our services, how often and from where?
Here’s a typical scenario: when a new user enrols at a university or starts work at a new job, that organisation will have a process which automatically grants access to the internal and external resources they need to participate in their course or do their job.
That process applies the appropriate permissions and controls to ensure they can only access what they entitled to and will typically include access to their nearest printer, the network drives for access to the documents they need, a VLE, discovery tools and/or LMS and increasingly, their organisation’s subscription content – all with a single username and password.
Most popular choice across all markets.
OpenAthens is part of an ecosystem and our docs help organisations integrate different components
Multi-country misuse
Audit logs now available in OpenAthens (“How can the usage (not just login) statistics be captured?”)
The options available to subscribing organisations on how to participate in an access management federation are better than ever.
“The ability to restrict access to sub-groups within the University”
“How is the access by temporary guests handled by OpenAthens?”
“Configuring access for overseas/partnership institutions”
“Authentication for partnerships - based in the UK and abroad”
OpenAthens offers these connection options so whatever your organisation has in place, it’s likely that OpenAthens can help an organisation use Shibboleth or SAML because…
…we also offer tools which allow self-built interfaces. Offers maximum flexibility – but it requires developer effort at the organisation.
“What would be the best means of authentication to use for a small institution with limited resources to access eBooks?”
So the fact that…
It is the nature of federated access management in general and OpenAthens products in particular to use a standards based approaches wherever possible. This allows true SSO with a number of apps such as…
This shows a number of common apps our customer use OpenAthens to integrate with.
OpenAthens plays well with all discovery services
“We are moving to Alma Summer of 2018 I wonder which authentication to use, EZ Proxy or Open Athens for the link resolver”
But how can all that happen in a privacy-protecting way?
Earlier on I said personalisation is now expected from a range of services such as Amazon or Netflix.
There is a view that:
without personalisation, none of the benefits of a modern digital service are available, i.e. more engagement, attracting users to return, learning more about their needs and tailoring products accordingly.
That level of detail helps everyone. It helps content providers segment their products and direct it at particular users, and by providing greater transparency of how collections are being used, it helps an organisation make more informed purchase decisions. But…
“a (happily very vocal) majority who are unwilling to compromise user privacy for the sake of some assessment metrics”
Do users now expect that from library services too? Some librarians are concerned about the privacy issues this raises, and they see IP recognition as the better option precisely because it’s anonymous. Take a look at this image sent to me during a dialogue I had over Twitter with a US librarian (although this view is not exclusive to the US).
This is a detailed user consent page which explains which attributes about this user were going to be passed to the content provider. [description] If the user did not provide their consent, they were not permitted to see the content.
Would there be more confidence around privacy if IdPs took a closer look at their attribute release policies, and content providers were more circumspect about the attributes they requested?
Many users will submit this same level of personal information on a form they’re presented with the first time they access a service. Is that substantially different from a Netflix or Amazon subscription?
However, if a content provider receives a narrower set of attributes which has no identifying information but which allows the user to personalise the experience, e.g. via saved searches and alerts, would that be sufficient to satisfy the content provider?
This is the functionality OpenAthens makes available to organisations so they can control attribute release quickly and easily.
And we’re making similar products available to content providers so they can leverage the benefits of Shibboleth and SAML without having to become experts in that technology, so here’s a brief word about that.
But there is an alternative. It is now possible to derive all the benefits which SAML brings without having to deploy it. As I said earlier, OpenAthens has ten years’ experience of developing SAML software and having seen the issues which I just described for some time, we decided to take a new approach and developed OpenAthens Cloud.
The only technology a content provider needs to deploy is OpenID Connect – everything else is managed in our web dashboard. OpenID Connect is supported by key industry players like Symantec and Microsoft. It's a newer technology than SAML but unlike SAML, it's extensible to web-based native apps as well as mobile applications.
SAML is
Enterprise – connections between identities and services within a scope
Old tech XML, SOAP – mid 2000s
Supports ’trusted relationships’
Formation of communities
OIDC is
Multi-billion user services
JWT/ REST, Developer friendly
Mobile- native
Self-asserted trust
I’m sure many of you will be familiar with seeing Google login options on a number of web services – that process uses OpenID Connect and as you can see, one of the benefits is a consistent login experience.
And anytime you see a PayPal payment option on a website, it is using OpenID Connect to let you login via PayPal.
Let me be clear: OpenAthens Cloud alone won't let a content provider add Google and PayPal login options to their products. But if that is on their wishlist, with OpenID Connect as the foundation that task would be easier.
Here’s something else we’ve recently released for content providers, but it’s not something they can buy – any publisher registered in any Shibboleth or SAML access management federation can use it.
Wayfinder is the OpenAthens Discovery Service which any publisher can deploy:
Uses SAML attributes for scalability
Uses domain hints and geolocation – UKFed are already promoting increased adoption of domain hints
CASA = Context-Aware Scalable Authentication. Some big players are participating including HighWire – but based on Google Scholar usage.
BeyondCorp had the stated goal that no Google employee should need to use a VPN.
“We infer device trust based on a number of signals, some observed (last security scan, patch level, installed software, etc.) and some prescribed (assigned owner, VLAN, etc.). To handle this complexity, our inventory teams follow an automated provisioning process to ensure that new hire devices are correctly trusted at first login.”
Contextual authentication is increasingly being talked about
-------------------------
Contextual authentication takes into account the context of a service and deploys appropriate authentication challenge
Encompasses multi-factor methods, where appropriate
Intelligent IAM systems can change context dynamically (eg. location or suspicious activity)
Authentication factors
----------------------
Trusted device
Location/network (IP)
Username/password
SMS, push notification, OTP app, YubiKey
Previous activity
Reduce friction of authentication
---------------------------------
Objective of contextual authentication is to reduce friction
Misunderstanding of multi-factor is that is makes authentication more complex – inappropriate deployment
No user-interaction unless necessary
SAML is
Enterprise – connections between identities and services within a scope
Old tech XML, SOAP – mid 2000s
Supports ’trusted relationships’
Formation of communities
OIDC is
Multi-billion user services
JWT/ REST, Developer friendly
Mobile- native
Self-asserted trust
Bottom line: with 10-12 years of investment in Shibboleth and SAML by content providers and subscribing organizations around the world, it’s not going anywhere soon.
- My impression is that this is still pretty early days. There is a draft specification but it seems to be fairly early to me. There were two camps, one wanted existing OpenID implementations to work pretty much unmodified with the new spec. Others saw the need for more complexity in implementations (though there was recognition that this was a problem). I suspect some compromise will be reached.
- There is definitely a desire to learn from 10 years of SAML federations and make notable improvements, like not shipping around massive blobs of XML. Hopefully the standard will be much simpler and inline with modern APIs.