UKSG webinar: Authentication technology update: RA21 and OpenAthens with Josh Howlett, Jisc and Phil Leahy, Eduserv
•Download as PPTX, PDF•
1 like•1,355 views
OpenAthens is an access management system that helps over 2,200 organizations in 48 countries provide access to hundreds of thousands of journals, databases, and ebooks for over 4 million end users. It uses various authentication methods including vendor-supplied credentials, IP recognition, and federated access management. OpenAthens is updating its technologies to address changing user needs like mobile access and personalization. It aims to provide secure access while maintaining user privacy and allowing for attribute release to content providers when acceptable. OpenAthens also discusses integrating with applications using SAML and OpenID Connect, and how new technologies may provide new opportunities.
Recommended
Recommended
More Related Content
What's hot
What's hot (16)
Similar to UKSG webinar: Authentication technology update: RA21 and OpenAthens with Josh Howlett, Jisc and Phil Leahy, Eduserv
Similar to UKSG webinar: Authentication technology update: RA21 and OpenAthens with Josh Howlett, Jisc and Phil Leahy, Eduserv (20)
More from UKSG: connecting the knowledge community
More from UKSG: connecting the knowledge community (20)
Recently uploaded
Recently uploaded (20)
UKSG webinar: Authentication technology update: RA21 and OpenAthens with Josh Howlett, Jisc and Phil Leahy, Eduserv
- 1. www.openathens.org Authentication technology update: OpenAthens Phil Leahy Service Relationship Manager phil.leahy@eduserv.org.uk
- 2. www.openathens.org Coming up • The access management toolkit • Security, privacy and personalisation • What opportunities are new technologies bringing? • How OpenAthens helps organisations and their content provider suppliers
- 3. www.openathens.org Helping over 2,200 organisations in 48 countries, enable access to hundreds of thousands of journals, databases and ebooks for over 4 million end users.
- 4. www.openathens.org The access management toolkit • Vendor-supplied credentials • Referral URLs • IP recognition • Peer-to-peer SAML connections • Federated access management
- 6. www.openathens.org Changing user requirements • Mobile access is key • Personalisation is expected • Multiple devices are used
- 7. www.openathens.org Changing librarian requirements • More tech services to manage • Multiple tech services must integrate • Monitor e-library engagement
- 8. www.openathens.org What is local authentication? • Uses existing usernames and passwords, typically held in Active Directory • Same account used for ‘local’ and external systems • VLE • Google Apps / Office 365 • OpenAthens • Reduces administration • Reduces user queries
- 9. www.openathens.org Security is paramount • Authentication within Federations uses SAML • Data encryption comes as standard • Individual level accountability • Permission setting features – easier to comply with restricted content licences • Authentication servers monitored for misuse
- 10. www.openathens.org Directory integrations CAS (Client Access Server)
- 11. www.openathens.org Build against an API • Log your users into the system based on credentials stored in any system you can gain programmatic access to • Great when you cannot use other connection types
- 12. www.openathens.org Connecting to SAML applications • OpenAthens can interact with many Apps • Better overall experience for end users • ‘True’ single sign-on
- 13. www.openathens.org Integration with SAML applications
- 14. www.openathens.org Is user privacy at risk? • SAML encrypts data by default… • …but is that sufficient? • personalisation requires that content providers know something about a user… • …what is acceptable? 3l3dfaspfr96k36vcsj6bjl6r8 https://twitter.com/lisalibrarian/status/927534622799548416
- 15. www.openathens.org Attribute release in OpenAthens
- 16. www.openathens.org • Benefit from SAML without installing it • OpenAthens Cloud offers the same benefits • OpenID Connect is the hook… • …but what is OpenID Connect? OpenAthens Cloud
- 17. www.openathens.org Federation standards OpenID Connect • Web-scale • Modern, developer- friendly • Only implicit trust SAML • Enterprise • Mid-2000s tech, hard to adopt • Scalable trust-network
- 20. www.openathens.org OpenAthens Wayfinder: helping content providers help users
- 21. www.openathens.org New technologies = new opportunities?
- 22. www.openathens.org Google Scholar CASA “CASA builds on Google Scholar’s Subscriber Links program which provides direct links in the search interface to subscribed collections for on- campus users. With CASA, a researcher can start a literature survey on campus and resume where she left off once she is home, or travelling, with no hoops to jump through. Her subscribed collections are highlighted in Google Scholar searches and she is able to access articles in exactly the same way as on campus.” Users must access on-campus at least every 30 days to maintain off- campus access. https://home.heinonline.org/blog/2017/09/casa-en-nuestra-casa-casa-in-our-house/
- 23. www.openathens.org BeyondCorp at Google • Principles • Connecting from a particular network must not determine which services you can access. • Access to services is granted based on what we know about you and your device. • All access to services must be authenticated, authorized and encrypted. https://cloud.google.com/beyondcorp/
- 24. www.openathens.org Federation standards OpenID Connect • Web-scale • Modern, developer- friendly • Only implicit trust SAML • Enterprise • Mid-2000s tech, hard to adopt • Scalable trust-network Convergence?
- 25. www.openathens.org More information What does it take to run an access management federation? http://bit.ly/2AWSUUz OpenAthens Cloud uses OpenID Connect http://bit.ly/2y3pZz6
- 26. www.openathens.org Phil Leahy OpenAthens Service Relationship Manager phil.leahy@eduserv.org.uk +44 (0)1225 474302 Any questions? What does it take to run an access management federation? http://bit.ly/2AWSUUz OpenAthens Cloud uses OpenID Connect http://bit.ly/2y3pZz6
- 27. Contacts Josh Howlett, Head of trust and identity, Jisc Josh.Howlett@jisc.ac.uk Phil Leahy, OpenAthens Service Relationship Manager phil.leahy@eduserv.org.uk Tasha Mellins-Cohen, Director of Publishing, Microbiology Society t.mellins-cohen@microbiologysociety.org Feel free to e-mail your questions and look out for the slides on uksg.org/webinars/authentication
Editor's Notes
- This is the impact of OpenAthens single sign-on software – across the globe. Publishers can add their content to a user’s existing portfolio instead of existing within its own silo. We’ve got ten years experience of developing Shibboleth and SAML software which is used by some of the world’s largest content providers including Wolters Kluwer Health, New Scientist and the FT. The OpenAthens Federation is the trust authority which allows content providers and their customers to connect to each other without requiring technical setup each time.
- Here is a list of the access management tools typically used by organisations subscribing to external content. It’s been pointed out to me that the shortfalls of current authentication technologies were well covered at the UKSG conference earlier this year, but there have already been several questions submitted along those lines so I’m going to try and find the sweet spot between that and current technologies and future opportunities which are more interesting. Easily shared and relies on security through obscurity Easily shared and relies on security through obscurity How long have you got? (“Developments in proxy servers”, “Comparison between OA and Library Proxy”, “How it works and cost comparisons with EZProxy etc”, “Comparison with EZproxy”) Identifies only the organisation Cannot identify offenders who breach license terms No meaningful statistics Have to maintain a list of IP addresses with every supplier Remote access requires VPN or additional proxy Personalisation either non-existent or requires separate registration Expensive to implement and manage, inefficient single-use peer-to-peer connections
- This is a typical federated user journey that our software helps deliver. So – we have an end user browsing the web looking for academic or scholarly content And all the time they are hitting barriers and being asked for a username and password They get frustrated But – in comes OpenAthens! With just one username and password, the patron can access an array of online resources – and crucially move between resources on different publisher sites
- Patrons become more mobile – fewer ties to the physical library building, study is anywhere and everywhere Personalization is expected – we’re all used to the Amazon or Netflix experience and at least in the UK, there is an expectation that library resources should behave in the same manner – saved searches, recommended favourites etc. Multiple devices are used for study – access to library content needs to be consistent and seamless regardless of the device used
- And for librarians… More tech services to manage – VLE, Discovery, Website, Proxy Server Multiple tech services must integrate – single sign-on is key Monitor and report on E-library engagement – who’s accessing our services, how often and from where?
- Here’s a typical scenario: when a new user enrols at a university or starts work at a new job, that organisation will have a process which automatically grants access to the internal and external resources they need to participate in their course or do their job. That process applies the appropriate permissions and controls to ensure they can only access what they entitled to and will typically include access to their nearest printer, the network drives for access to the documents they need, a VLE, discovery tools and/or LMS and increasingly, their organisation’s subscription content – all with a single username and password. Most popular choice across all markets. OpenAthens is part of an ecosystem and our docs help organisations integrate different components
- Multi-country misuse Audit logs now available in OpenAthens (“How can the usage (not just login) statistics be captured?”)
- The options available to subscribing organisations on how to participate in an access management federation are better than ever. “The ability to restrict access to sub-groups within the University” “How is the access by temporary guests handled by OpenAthens?” “Configuring access for overseas/partnership institutions” “Authentication for partnerships - based in the UK and abroad” OpenAthens offers these connection options so whatever your organisation has in place, it’s likely that OpenAthens can help an organisation use Shibboleth or SAML because…
- …we also offer tools which allow self-built interfaces. Offers maximum flexibility – but it requires developer effort at the organisation. “What would be the best means of authentication to use for a small institution with limited resources to access eBooks?”
- So the fact that… It is the nature of federated access management in general and OpenAthens products in particular to use a standards based approaches wherever possible. This allows true SSO with a number of apps such as…
- This shows a number of common apps our customer use OpenAthens to integrate with. OpenAthens plays well with all discovery services “We are moving to Alma Summer of 2018 I wonder which authentication to use, EZ Proxy or Open Athens for the link resolver”
- But how can all that happen in a privacy-protecting way? Earlier on I said personalisation is now expected from a range of services such as Amazon or Netflix. There is a view that: without personalisation, none of the benefits of a modern digital service are available, i.e. more engagement, attracting users to return, learning more about their needs and tailoring products accordingly. That level of detail helps everyone. It helps content providers segment their products and direct it at particular users, and by providing greater transparency of how collections are being used, it helps an organisation make more informed purchase decisions. But… “a (happily very vocal) majority who are unwilling to compromise user privacy for the sake of some assessment metrics” Do users now expect that from library services too? Some librarians are concerned about the privacy issues this raises, and they see IP recognition as the better option precisely because it’s anonymous. Take a look at this image sent to me during a dialogue I had over Twitter with a US librarian (although this view is not exclusive to the US). This is a detailed user consent page which explains which attributes about this user were going to be passed to the content provider. [description] If the user did not provide their consent, they were not permitted to see the content.
- Would there be more confidence around privacy if IdPs took a closer look at their attribute release policies, and content providers were more circumspect about the attributes they requested? Many users will submit this same level of personal information on a form they’re presented with the first time they access a service. Is that substantially different from a Netflix or Amazon subscription? However, if a content provider receives a narrower set of attributes which has no identifying information but which allows the user to personalise the experience, e.g. via saved searches and alerts, would that be sufficient to satisfy the content provider? This is the functionality OpenAthens makes available to organisations so they can control attribute release quickly and easily. And we’re making similar products available to content providers so they can leverage the benefits of Shibboleth and SAML without having to become experts in that technology, so here’s a brief word about that.
- But there is an alternative. It is now possible to derive all the benefits which SAML brings without having to deploy it. As I said earlier, OpenAthens has ten years’ experience of developing SAML software and having seen the issues which I just described for some time, we decided to take a new approach and developed OpenAthens Cloud. The only technology a content provider needs to deploy is OpenID Connect – everything else is managed in our web dashboard. OpenID Connect is supported by key industry players like Symantec and Microsoft. It's a newer technology than SAML but unlike SAML, it's extensible to web-based native apps as well as mobile applications.
- SAML is Enterprise – connections between identities and services within a scope Old tech XML, SOAP – mid 2000s Supports ’trusted relationships’ Formation of communities OIDC is Multi-billion user services JWT/ REST, Developer friendly Mobile- native Self-asserted trust
- I’m sure many of you will be familiar with seeing Google login options on a number of web services – that process uses OpenID Connect and as you can see, one of the benefits is a consistent login experience.
- And anytime you see a PayPal payment option on a website, it is using OpenID Connect to let you login via PayPal. Let me be clear: OpenAthens Cloud alone won't let a content provider add Google and PayPal login options to their products. But if that is on their wishlist, with OpenID Connect as the foundation that task would be easier.
- Here’s something else we’ve recently released for content providers, but it’s not something they can buy – any publisher registered in any Shibboleth or SAML access management federation can use it. Wayfinder is the OpenAthens Discovery Service which any publisher can deploy: Uses SAML attributes for scalability Uses domain hints and geolocation – UKFed are already promoting increased adoption of domain hints
- CASA = Context-Aware Scalable Authentication. Some big players are participating including HighWire – but based on Google Scholar usage.
- BeyondCorp had the stated goal that no Google employee should need to use a VPN. “We infer device trust based on a number of signals, some observed (last security scan, patch level, installed software, etc.) and some prescribed (assigned owner, VLAN, etc.). To handle this complexity, our inventory teams follow an automated provisioning process to ensure that new hire devices are correctly trusted at first login.” Contextual authentication is increasingly being talked about ------------------------- Contextual authentication takes into account the context of a service and deploys appropriate authentication challenge Encompasses multi-factor methods, where appropriate Intelligent IAM systems can change context dynamically (eg. location or suspicious activity) Authentication factors ---------------------- Trusted device Location/network (IP) Username/password SMS, push notification, OTP app, YubiKey Previous activity Reduce friction of authentication --------------------------------- Objective of contextual authentication is to reduce friction Misunderstanding of multi-factor is that is makes authentication more complex – inappropriate deployment No user-interaction unless necessary
- SAML is Enterprise – connections between identities and services within a scope Old tech XML, SOAP – mid 2000s Supports ’trusted relationships’ Formation of communities OIDC is Multi-billion user services JWT/ REST, Developer friendly Mobile- native Self-asserted trust Bottom line: with 10-12 years of investment in Shibboleth and SAML by content providers and subscribing organizations around the world, it’s not going anywhere soon. - My impression is that this is still pretty early days. There is a draft specification but it seems to be fairly early to me. There were two camps, one wanted existing OpenID implementations to work pretty much unmodified with the new spec. Others saw the need for more complexity in implementations (though there was recognition that this was a problem). I suspect some compromise will be reached. - There is definitely a desire to learn from 10 years of SAML federations and make notable improvements, like not shipping around massive blobs of XML. Hopefully the standard will be much simpler and inline with modern APIs.