Name:
Access, authentication, and authorization
Description:
Access, authentication, and authorization
Thumbnail URL:
https://cadmoremediastorage.blob.core.windows.net/3fec887c-00b7-4075-926f-568c8f1b21ab/videoscrubberimages/Scrubber_1.jpg?sv=2019-02-02&sr=c&sig=LkS6ukXXebsAJvZsD7V1luRXw2Lk%2FswVZqaIFESUhBA%3D&st=2025-01-20T05%3A05%3A47Z&se=2025-01-20T09%3A10%3A47Z&sp=r
Duration:
T00H31M58S
Embed URL:
https://stream.cadmore.media/player/3fec887c-00b7-4075-926f-568c8f1b21ab
Content URL:
https://cadmoreoriginalmedia.blob.core.windows.net/3fec887c-00b7-4075-926f-568c8f1b21ab/22 - Access authentication and authorization-HD 1080p.mov?sv=2019-02-02&sr=c&sig=SHJapUFRKFKbvGwC6V0yj11dtkgyrZXGyxMArGY%2Fvlo%3D&st=2025-01-20T05%3A05%3A47Z&se=2025-01-20T07%3A10%3A47Z&sp=r
Upload Date:
2021-08-23T00:00:00.0000000
Transcript:
Language: EN.
Segment:0 .
[MUSIC PLAYING]
SPEAKER 1: Hello and welcome to access, authentication, and authorization. Today, we have Lisa Janicke Hinchliffe who is going to be kicking it off and setting the stage for this very important topic. Following that Ralph Youngen will discuss current developments, and Vee Rogacheva will wrap it up by covering the user experience. So without further ado, I'm going to turn it over to Lisa. LISA JANICKE
HINCLIFFE: Thank you
HINCHLIFFE: so much and welcome to all of our audience members here today. My role with this will be to set the stage relative to what is happening in a very big picture way with access, authentication, and authorization, particularly looking at the case of library content to subscribed publisher materials. You'll find me on Twitter as lisalibrarian. I'm a professor and librarian at the University of Illinois at Urbana-Champaign, and I've been very involved for the past few years on initiatives, such as SeamlessAccess, the NISO privacy principles, and GetFTR.
HINCHLIFFE: All of which are touching on these important topics of the triple A's. As a context for the considerations that we'll be discussing here today, I'd like to remind ourselves what the situation is, which is that publishers license content and services to libraries that then make them available to entitled users. Now, not all who attempt access to these services or to the content are actually entitled.
HINCHLIFFE: Sometimes they're not part of our institution, and they've just found our website. In other cases, certain resources and services are only available to a subgroup of an institution's affiliated users. And so we have these issues related to who are you and what do you have rights to use. Our authentication and authorization systems are support for entitled users.
HINCHLIFFE: They facilitate that access, and they prevent access for what are known as non-entitled users. There's a lot of considerations that come into play here from lots of different perspectives, but particularly, for me as a librarian, there's considerations around managing personal data for access, especially with respect to privacy and that includes legal, contractual, and ethical frameworks.
HINCHLIFFE: There are a lot of pressing concerns that make this all the more important as an issue in our recent months. The pandemic pivot to remote work has made a greater percentage of our users reliant on understanding some of the complexities of how to navigate these pathways through authentication and authorization.
HINCHLIFFE: So that they can get the access. It has made us aware of the security vulnerabilities of some of the approaches that we have been using. Of course, we have contractual responsibilities related to the contracts that both parties signed, responsibilities from the publishers and from the librarians or the universities. And then, of course, and this is by no means the least important, is perhaps the most important.
HINCHLIFFE: We have the user experience of navigating these systems which can be very confusing and sometimes very frustrating. I want to mention a couple of terms that we'll probably use today that are used differently in different communities. So particularly, in the authorization, authentication community, there are some words that we use differently than how we use them in libraries and publishing.
HINCHLIFFE: So just to clarify, the word discovery and scholarly communications usually means to conduct literature searches to discover disclosed research pertinent to one's interest. So it's the process of finding information. In federation or authentication, authorization communities, discovery means searching for an identity provider so that you can initiate a user authentication workflow. These are quite different uses of the word discovery, though in both cases, we can see that what they do is they enable us to find something a key piece of information that lets us keep working.
HINCHLIFFE: Similarly, metadata in scholarly communications, this is information about research works. It's the title, the author, the journalist, the publishing, et cetera. In federation or authentication options, it's the information about the identity providers and the service providers. And Ralph is going to help us unpack that a little bit more in detail when he gets to talking about that.
HINCHLIFFE: But just to know that there's these key concepts that we might be using in different ways as we look at different components of this process. So here is just a small attempt to list the scholarly authentication, authorization ecosystem. The way, I like to think about it is that there's really two types or categories of authorization and authentication. One is the device, and the other is the individual.
HINCHLIFFE: Now, in reality these do interact a little bit at times, but I think it's helpful at least to have this as a framework. For device authorization, we have IP address recognition that says that the device IP address is affiliated with an institutional namespace. And it just asserts that whoever is using the device is an authorized or entitled user. Remote IP recognition options include proxy servers and virtual private networks or VPNs.
HINCHLIFFE: We also have device pairing where devices are set to be known to a publisher site for a set period of time. Device pairing first typically relies on a kind of individual authentication, which then enables device pairing for a set period of time. So what's this individual authorization? You can have publisher-specific accounts, which are specific to that particular publisher website.
HINCHLIFFE: It's typically for personalized features and typically does not provide authentication. And of course, it is the dreaded additional name and password. A more robust option that relies on publisher and institution collaboration is federated authentication via SAML, which is the Security Assertion Markup Language. It validates the end user, not just the device. It says that this person is authorized or entitled to this content and shibboleth is most commonly heard in higher education as the specific implementation of the sample protocol.
HINCHLIFFE: So shibboleth is an implementation of SAML, and SAML is what enables federated authentication. There are two other types also operating out in our community now. One, Google CASA, which is relies on IP authentication and maybe other tools. There's no documentation for librarians on who says that we have to infer some of it. And then ResearchGate has recently added some authors' authentication recognition for users of Springer Nature content with additional publishers perhaps on the way.
HINCHLIFFE: So today, we're really going to focus in on this SAML, the federated authentication, which is the most commonly used of the individual authentication approaches with, of course, IP recognition still being very beloved within a library community. A given library may be using any and/or all of which, of course, means that an individual user may be using any and/or all of these. So I myself as a researcher at my university use almost all of these on at least a weekly basis.
HINCHLIFFE: So just a quick big picture overview of what federated authentication through SAML/shibboleth looks like. We are using here just for convenience my institution and Ralph's publishing group. And then, of course, we have the users. Federated authentication is a way of building trust relationships between these different entities based on agreed-upon sharing of attributes and keeping the user logging in through their institution.
HINCHLIFFE: So they have that one institutional login, but where different publishers can serve as service providers. So in addition to ACS here, it could be Absco, it could be Springer Nature, it could be Wiley, Taylor & Francis, Brill. It could be any number of publishers. The identity provider, or the university in the case here, controls the information about the attributes about the user that gets sent to service providers.
HINCHLIFFE: So rather than users logging in directly on a publisher's site, they log in through the institution. And then the institution sends the needed attributes or characteristics to the publisher. That could be as little as, yes, this user is authorized to use this content, or it could be additional attributes that enable additional services or options that a user might want. What this really points to is obviously that collaboration is a key component of this.
HINCHLIFFE: Campus IT and libraries need to work together. We have to work to release the correct attributes that the library has negotiated in the contracts with the publisher, since that attribute release goes through our campus units. We've recently had a survey done by Seamless Access, the organization, which has documented that there's room for improvement in our communication among all parties here, and particularly with respect to libraries and campus IT working together.
HINCHLIFFE: So let me now turn this over to my colleague, Ralph, to say a little bit more about how things are actually working in the researcher community-- I'm sorry, in the publisher community. So let me go ahead and stop sharing and turn it over to Ralph.
RALPH YOUNGEN: Thanks, Lisa. I'll just get my screen up here. OK, thanks, Lisa. Yes, I'm Ralph Youngen. I'm the Senior Director of Digital Strategy at the American Chemical Society. But I've also been in leadership positions for the last several years on the two industry efforts that I'm going to be covering today. And so those are Seamless Access and GetFTR. So I want to start by just setting the stage that these two efforts really are focusing on-- they have different targets in mind.
RALPH YOUNGEN: So Seamless Access really is scoped for any service where it is important for a user to prove his or her institutional affiliation. So for example, a common use case in our industry would be, remote access to a publisher site, as Lisa described in her section. GetFTR, on the other hand, really has its target in mind are any of those research discovery services, those places where scholars tend to use search engines to discover scholarly works of interest.
RALPH YOUNGEN: That's what's in target for GetFTR. And I will unpack both of those a little bit more. So first, starting with Seamless Access, Seamless Access is all about implementing an improved user experience on top of the federated authentication infrastructure. So for many years, publishers supported federated authentication. But users had to search for their institution on every publisher site, every time that they tried to access content, while off of a recognized IP address range.
RALPH YOUNGEN: And every publisher implemented that search process a bit differently, as I've shown here. Well, Seamless Access really makes that a much more consistent user experience. So you'll see, I've got four publishers here showing their implementations of Seamless Access. And you'll see that the button where the user's home institution, the name of the home institution is listed provides a very consistent user experience across publisher sites so that it's effectively a one-click operation now, to just click that button to be able to validate their institutional affiliation.
RALPH YOUNGEN: So GetFTR, on the other hand, as I mentioned, is more focused on research discovery tools. And it is a collaboration among the five publishers listed here, ACS, Elsevier, Springer Nature, Taylor & Francis, and Wiley. So GetFTR works similarly to Google CASA. And some people aren't even aware of what Google CASA is. So if you are on campus and you do a search in Google Scholar, you would see these links coming up on the right hand side like I've highlighted here.
RALPH YOUNGEN: And those links take you directly to a publisher site. The idea with CASA, then, is that when you are off-campus and no longer on an institution's IP address range, those links still appear for you and those links still work and those links still give you access to content on a publisher's site. So CASA is the technology that basically remembers your institutional affiliation and makes those links work off-campus.
RALPH YOUNGEN: Well, GetFTR's target is really all publishers, all discovery services, really any place where a researcher might be accessing content or doing searches for content. So that could be discovery systems, that could be scientific collaboration networks, that could be library systems. Really, all those things are in scope for GetFTR. And today, you can see the discovery systems and collaboration networks that are using GetFTR.
RALPH YOUNGEN: On the right, you can see the publishers that have their content positioned with GetFTR. We have many more in the queue on both sides. And we'll be having many more announcements of additional partners that are coming online soon. So without GetFTR, for many years, we built that link between a discovery system and the content using a DOI. And the DOI works just fine if you're on campus and are IP authorized.
RALPH YOUNGEN: It is a seamless process to get to the research content. But when you're off-campus, when you're on a mobile device, it doesn't work as seamlessly. So the way GetFTR works is, it provides these smart links to the discovery system. And the reason we call these links more smart links is because they work regardless of the user's context. If the user is on campus and on an IP authorized, recognized range, then when you click on that link, you land on a publisher's site.
RALPH YOUNGEN: And you are simply authorized through your IP address. Or if you're on a proxy server, they work exactly the same way. It would work fine. But if you are off-campus or not on a proxy server or a VPN server or anything like that, then these links provide federated authentication as a fallback option so that you can easily still gain access to the content. And also note that on the discovery service side, the discovery service also has the ability to indicate to the user before the user even clicks on the link that they would have access to the content.
RALPH YOUNGEN: So GetFTR turns links like this in dimensions into these smart links. And I'm just showing you here that little snippet of the user experience, as I noted, where it says, OK, if you accessed through the University of Illinois at Urbana-Champaign, you would have access to this content. And similarly, this is in Mendeley. Similar user experience. If you click on that link, you would then-- if you have not previously logged into your campus infrastructure, you would get your normal campus login page.
RALPH YOUNGEN: If you logged in earlier, you wouldn't even see this page and you would just go right directly to the content itself. So that's the idea about GetFTR. Let me close with a couple thoughts on privacy and security. So first of all, in terms of privacy, I think it's really important to understand that both Seamless Access and GetFTR leverage the underlying federated authentication infrastructure but don't make any changes to it.
RALPH YOUNGEN: They simply are services that live on top of that foundational infrastructure. So in this context, attributes as Lisa talked about are really the key to ensuring used patron privacy here. And the campus is in complete control of those attributes. And that's why it's so important to have that conversation that Lisa mentioned between libraries and campus IT. The Seamless Access initiative is working to make this easier for campuses.
RALPH YOUNGEN: We are going through a standards process right now to codify a set of attributes that can be used for library services. And we're also working on some model contract language, as well, that campuses could use in their contracts with service providers, too. So you'll be hearing more about that, I'm sure, later this year. In terms of cybersecurity, I think it's also important to note that we are at a period of heightened risk right now.
RALPH YOUNGEN: Campus patrons, as they are working remotely, they do not enjoy the benefit of the network security that they might have on campus. And unfortunately, that has meant that phishing attacks especially are more prevalent right now during this global pandemic. So in this context, I want to say in closing that there is an idea, a concept called using pseudonymous identifiers that can help to increase the security posture of the campus.
RALPH YOUNGEN: A pseudonymous identifier is really just a random string of letters and numbers that a campus can correlate to an actual university patron, but the service provider cannot. So both federated authentication, as well as now EZproxy, with the newest version of EZproxy, both support this concept. In federated authentication, you can send pseudonymous attributes to service providers.
RALPH YOUNGEN: And in EZproxy version 7.1, you have the option now of sending pseudonymous identifiers through a configuration in EZproxy. Now, some of the significant benefits here are that if a publisher detects some type of anomalous usage, which we do, and we have conversations today with campuses, that it can be very hard for the campus to locate the actual user with potentially suspected compromised credentials.
RALPH YOUNGEN: With pseudonymous identifiers, we could hand the campus a direct key that the campus could use, that opaque identifier could be used to identify the user by the campus and potentially track down who might have compromised credentials. The other thing is, today, it's common practice that publishers may suspend access to an IP address in the case of suspected abuse.
RALPH YOUNGEN: And in the future, we'll be able to do that by simply suspending the account that this identifier is associated with. And that's a significant advantage I think, because there, we're not potentially affecting hundreds or thousands of users in that case. And I just reemphasize that all of this can be done in a way that preserves patron privacy, as well.
RALPH YOUNGEN: So with that, I will stop. And I will turn it over to Vee.
VEE ROGACHEVA: Thank you very much, Ralph. OK. In the final part of this presentation, I would like to focus on the user experience and draw a connection between access, the learners and researchers expectations in the engagement with the library. My name is Vee Rogacheva, and I am a service design lead for OpenAthens.
VEE ROGACHEVA: Let me start by establishing the basics. Personalized research experience requires secure access. And that cannot be delivered by IP-based authentication alone. And this is important not only because personalization improves efficiency, helps learners and researchers find relevant content, and helps them connect to peers.
VEE ROGACHEVA: It is also important because this is what users expect. And anything less frustrates and disappoints. Nicholas Sandin from BookBeat says, "We are in competition with Netflix, Spotify, and Instagram for share of users' time." Content aside, because it is difficult to compare the bridging done on Netflix with the latest discoveries in 14th century English history, what we are competing with is this highly personalized experience that makes it so easy to keep users engaged.
VEE ROGACHEVA: Now, even if your institution has access all sorted, that in itself does not guarantee that personalized researcher experience. That is something that the publisher platform or the learning tool needs to put in place as well. And many of them do. Here is a quote from [INAUDIBLE] Chief Information Officer, where he describes the benefits of that personalized experience.
VEE ROGACHEVA: "Online platforms powered by artificial intelligence can understand what the research is working on and provide relevant information at the right time." Secure and reliable access is the foundation for these kind of features. In my role as a service designer here in OpenAthens, I often visit libraries and study student experience and their behavior.
VEE ROGACHEVA: Pre-pandemic, I visited the university library you see in the picture. At the time I was there, the place was packed full of students. So I asked the head librarian, "Why are there so many students in the library today?" And she said, "Oh, our students love to spend time in the library." Now, look at this space.
VEE ROGACHEVA: It's practically a basement. It just about has windows. People were crammed in these long rows of desks. It is like a call center from hell. Why would someone want to spend time here? Why would students love to spend time here when there are so many much more enjoyable places they could be at? You probably guessed it.
VEE ROGACHEVA: What the real answer was is that students were having trouble accessing library content remotely. In the post-pandemic world, things are different. We see online learning being the go-to model for most institutions around the world. Online learning and remote access to resources is no longer a luxury. It's a necessity. And it wasn't a surprise when I saw reports suggesting that students are actually enjoying the flexibility the blended approach to learning offers.
VEE ROGACHEVA: Now, I have to put a disclaimer here. For many, total lockdown and prolonged isolation is really hard. The consequences of the pandemic are complex and stretch beyond the adoption of a particular technology. It will take a long time to assess the full impact the accelerated adoption of online learning has had.
VEE ROGACHEVA: When university campuses in the UK were first closed back in March last year, my team and I found that students embraced technologies like Zoom and Slack and What's App very quickly, and continued in a collaborative manner with their studies remolded. Most students felt they had everything they need to access online content.
VEE ROGACHEVA: Those whose studies required more research were familiar with the library portals. But it was clear that not everybody made a good use of library resources available to them. Study after study, we find that Google is the most widely-used content discovery tool. However, not starting the research journey on the library portal means, as Ralph mentioned earlier, that there is no way for students to know if they have access to the content or not.
VEE ROGACHEVA: As a result, some students naturally develop a preference for open access content. And we see a rise in platforms like ResearchGate, which Lisa mentioned. In a more recent study, we surveyed over 100 librarians in the Global South. My team found that remote access in combination with digital experiences that work on mobile are top of the library wish list.
VEE ROGACHEVA: However, only 22% of the institutions we surveyed had an authentication system in place. To provide remote access, libraries would download and share article PDFs with researchers. Copyright issues aside, this is as far from the highly personalized Google, Netflix, and [INAUDIBLE] experiences as possible. Ensuring that access to content works is not the most exciting job for a librarian.
VEE ROGACHEVA: But it is essential to ensure learners and researchers get the experience they expect and deserve. And that's why we're so passionate about what we do here in OpenAthens. Our library access management system is used by libraries all around the world and supports daily access to resources for millions of learners and researchers. Our service provider products help publishers and service provider make the most of SAML authentication and support the Seamless Access button implementation.
VEE ROGACHEVA: So let me recap. Remote access to resources is a necessity. And for a lot of libraries, this is still a burning problem. IP-based access doesn't offer the flexibility learners and researchers expect. The idea that to do research, one has to be present at the library or follow a predefined journey to content drives researchers away from the library services.
VEE ROGACHEVA: SAML authentication does not guarantee personalized research experience. But there are lots of platforms already that offer that kind of a feature. Which leads me to my final point, without secure authentication, personalized research is not possible. Thank you very much.
VEE ROGACHEVA: Over to you, [? Jenetta. ?]
SPEAKER 1: Thank you, Lisa, Ralph, and Vee for sharing information on this important topic. And thanks to all of you for joining us. And now we will begin our discussion. [GENTLE MUSIC]