Frequently Asked Questions – for libraries and library service providers – AARC I Authentication and Authorisation for Research and Collaboration

AARC toolkit for libraries and library service providers

Frequently Asked Questions – for libraries and library service providers

What do ‘authentication and authorisation’ and ‘federated access management’ mean?

To manage access to library resources and online services, there needs to be a way to digitally identify library users and allow or deny access based on their identity.

Usually, every online service requires a separate account. This can be a headache: service providers have to manage huge numbers of accounts and details, and users have to juggle multiple usernames and passwords, which also weakens security.

Federated access to e-resources is based on the digital identities are provided to users by their home research or education institution. The process of checking with the identity provider that a user is authentic – they are who they say they are – is called ‘authentication’. The process of deciding whether or not a user is authorised to access any given service or resource is based on that user information and is called ‘authorisation’. With their single online identity, authorised users can access any services that are available locally within their identity-providing institution.

To bring together a wider pool of users and services, research and education identity federations were created to build trust between the identity-providers and service providers.

Identity federations interconnect libraries and library service providers on a national level. The interconnection of these federations of libraries and library service providers on an international and world-wide level is called interfederation. Commercial interfederation takes place through OpenAthens and academic interfederation through the eduGAIN service.

See AARC Federations 101 for a basic introduction to identity federations.

Why should libraries and library service providers care about federated access management?

Federated access management provides several benefits to libraries, library service providers and their users.

Users need only one set of credentials instead of many, they experience much higher security levels, can access facilities outside their institutions and enjoy a much better user experience when accessing services.

Libraries have a much more visible role and can integrate library services with virtual research environments. For university libraries, identity management will be easier in the long term. It is also the best user experience libraries can provide to their patrons for accessing vast library resources.

Library service providers can gain a larger audience of users nationally and internationally. Because the users are trusted by their identity providers – their home institutions – and the identity providers handle the user accounts, there’s a reduced overhead for accounts and user support, so the cost per user is lowered. The users also enjoy a better experience of using your service when accessing library resources with federated authentication and single-sign-on. And there are security benefits for service providers, particularly when the Sirtfi framework is employed.

See the AARC factsheet for libraries and the AARC leaflet for service providers “How to reach global customers with federated identity management” (PDF).

How can I better understand what happens if someone logs in and federated access is in place?

If you want to know more about what happens when a user logs in with federated access, have a look at the SWITCH On-line Demo. Workflows at several levels of detail are described here.

If you want to go for a more fun approach, play the AARC Federated authentication roleplay (PDF).

Should library service providers be registered to participate in eduGAIN interfederation?

If you offer an international service it is highly recommended to register your service provider in eduGAIN, via your national identity federation. This will give you access to a larger pool of potential users, while avoiding the need to make multiple individual agreements with different individual organisations. There is a comprehensive guide on How to join eduGAIN as a service provider.

It is a good idea for service providers to provide users with Single-Sign-On, right?

Yes, this is strongly recommended, as users can then enjoy a seamless and improved the user experience. Service Providers can link their local accounts to the accounts that users are provided by their institutions.

Are there any guidelines on how to optimise the user experience, i.e. ‘Discovery’ and WAYFless links?

Usually, if users go from a library portal to an e-resource, they have to go through a ‘discovery’ service asking “Where are you from” (WAYF). This is a component which guides a user to login at their home organisation in order to gain federated access to the resource. A consistent approach to presenting this process can remove any confusion for users, as they learn where to look on the screen for recognisable buttons and prompts.

Recommendations about how library service providers can best implement the discovery service are available: REFEDS discovery guide. Note that international service providers will need eduGAIN level discovery.

The top recommendations are:

Position the institution login button in top right corner
If you are a national service provider only, include the national identity federation logo next to the institutional login button.
If you are an international service provider, put the eduGAIN logo next to Institutional login button
User name and user affiliated organisation name at top right corner after login
Position logout button at top right corner too
Support both single-sign-on and single logout
Support for certificate rollout at Identity Provider

Libraries can make things even easier if their portals have WAYFless links, so users can skip this step and go to the e-resource straight away.

You may like to have a look at the WAYFless links that have been deployed at the Moravian Library e-resources web page for EBSCOhost, Proquest Central, Proquest Ebook Central, SpringerLink, Web Of Science, and Oxford Music Online.

Are there any recommendations for library service providers regarding WAYFless links?

Library service providers should provide library administrators with WAYFless links on a database level right after federated authentication for that library has been activated. WAYFless links at the article, journal, book level should also be described in any help documentation.

WAYFless URLs are links that libraries can create to allow their users to directly access a content item using federated authentication (e.g., Shibboleth) credentials without having to detour through the service provider institutional login page. “WAYF” stands for “Where Are You From” and indicates the institutional login page selection list that a user would otherwise have to select from in order to identify their institution.

For libraries that often have guest or visiting scientists – is there a federated authentication solution for walk-in users?

In the AARC project, we piloted a possible solution that helps libraries to allow all users – even those without institutional accounts – to be able to access federated e-resources. Have a look at the pilot for walk-in users and give us your feedback via the online survey.

For libraries that grant access to resources based on IP addresses, what are the benefits of running EZproxy?

In many libraries, EZproxy has been used as a solution for remote access to e-resources. However, EZproxy can also be used in a way that delivers quick, federated access to e-resources even if these e-resources currently only support IP-based authentication. This gives users one consistent method of authentication to access both federated and non-federated e-resources.

The EZproxy configuration that makes this possible was piloted and documented by the AARC project. Try it out and give us your feedback via the online survey.

Does the exchange of information about users comply with data protection legislation?

Once a library has registered its identity provider to participate in eduGAIN interfederation, the identity provider must be configured to provide user information to service providers as needed. Currently, the best way for identity providers to provide appropriate user information to service providers and for handling security information come through the use of Codes of Conduct, Sirtfi, and ‘entity categories’ such as Research and Scholarship. These categories group together federation entities that share common criteria and conform to the characteristics that define that category. Supporting the Codes of Conduct is a recommended way of complying with the European Union’s General Data Protection Regulations (GDPR), which come into force in May 2018.

Have a look at the AARC Recommendations and Template Policies for the Processing of Personal Data.

What does the GÉANT Code of Conduct do for library service providers?

Supporting the GÉANT Code of Conduct gives library service providers a way to define the attributes that they need to receive from library identity providers in order to be able to provide a service requested for users.

What about the REFEDS Research and Scholarship entity category?

If you provide an academic service it is highly recommended to take advantage of the REFEDS Research and Scholarship entity category in order to obtain requested attributes from identity providers.

What is Sirtfi and what does it do?

The Security Incident Response Trust Framework for Federated Identity (Sirtfi) enables the coordination of incident response across federated organisations. You are invited to watch the recorded AARC webinar with an introduction to Sirtfi to find out more.

Are there recommendations for library service providers regarding authorisation?

It is recommend to use eduPersonEntitlement attribute values for authorisation. The entitlement value urn:mace:dir:entitlement:common-lib-terms for the eduPersonEntitlement attribute is a well-defined and widely accepted entitlement value. It is used for access to licensed content from information publishers.

How can library service providers support users with multiple affiliations within one organisation?

Library service providers can support users who have multiple affiliations from within one organisation by using eduPersonEntitlement attribute values. In the entitlement attribute, identity providers provide all user affiliations within the organisation for the purpose of authorisation by service providers.

Are there some services that support users with multiple affliations from different organisations?

There are some, for example the Czech national library portal can support multiple user affiliations. In the portal, users can link their identities from multiple organisations. The portal provides users with unified services based on all their affiliated organisations.

Is there a way for library service providers to implement federated authentication in mobile apps?

We’d like to recommend a solution for federated login to non-web applications from SURFnet.