[Eril-l] [EXTERNAL] OpenAthens vs campus federated SSO?

Electronic Resources in Libraries discussion list eril-l at lists.eril-l.org
Thu May 23 07:32:22 PDT 2024 

Hi Melissa,

I will add a note about the benefit of OpenAthens in unique ID pseudonymization, helping to protect patrons and their PII as they interact with resources online. Within default (patron) attribute releases in an OpenAthens federated/SAML authentication connection, each patron / OpenAthens resource pair (note: some vendors group all their resource offerings into one OpenAthens "resource" connection and others split them out) generates a unique user pseudonym (a long alphanumeric character string) so that platform activity generally cannot be traced by a resource provider back to a specific person, but only to the patron's organization. The patron is left with the choice of volunteering personal information to each resource provider themselves. Pseudonymous attributes Targeted ID/Pairwise-ID are defined at https://docs.openathens.net/libraries/about-released-attributes. Within a general SAML-based system managed by the institution's IT, I'm not sure that this pseudonym layer is in place as a default or that it's at that unique-pair level. You'd also have to work with your University IT administrator to ensure extra patron attributes are not released to resource providers than are necessary for accessing each specific e-resource, including patron identifiable attributes, when a federated connection is established with each new product (in my case releasing the "organizational email address" attribute would hand a provider personal names too). I think in general a university IT team frequently works with setting up federated auth connections for things like the institution's course management system or a student portal, where more specific patron-level data is needed for key functionality. It is possible that an IT team might not be aware that very few attributes need be released to library resource providers for key function even though resource providers can accept additional attributes. Not being familiar with Canarie, I'd assume the Canarie federation has an agreed upon/defined list of attributes that need to exist locally, but still leaves local IT in control of which attributes are actually released to third-party resource providers during access attempts.

At UToledo we integrated OpenAthens so that our OpenAthens is situated between vendor authentication points and our university's Active Directory Federation Service/SSO (will eventually move to Azure). So patrons still login through the university SSO screen for library e-resources, while the Libraries' benefit from University IT's management of university SSO patron credentials/etc. and the Libraries' have a reduced selection of attributes (decided by University IT during OpenAthens implementation and mostly FERPA "directory information" attributes) that the Libraries' OpenAthens administrator can configure OpenAthens to release for a specific federated resource connection when a library resource provider requires data beyond the OpenAthens default attribute release (very rare). The Libraries' are in control of which OpenAthens federated resource connections are active, so these can be established or turned off as library subscriptions change. Depending on what patron groups your org has set up in AD/Azure, the Libraries' OpenAthens administrator may then also modulate e-resource access by inherited patron groups to align with a license's "authorized user" definition. For example, in our setup OpenAthens will deny/block any UToledo persons unauthorized for but attempting a law-library-only e-resource based on the lack of the UToledo Law Library AD group assignment.

Hope this helps,
Clare

Clare Keating
Electronic Resources Librarian
University Libraries
Carlson Library- 3009D, Mail Stop #509
2801 W. Bancroft St.
Toledo, Ohio 43606-3390
419.530.2614
clare.keating at utoledo.edu


-----Original Message-----
From: Eril-l <eril-l-bounces at lists.eril-l.org> On Behalf Of Electronic Resources in Libraries discussion list via Eril-l
Sent: Wednesday, May 22, 2024 10:13 AM
To: eril-l at lists.eril-l.org
Subject: [EXTERNAL] [Eril-l] OpenAthens vs campus federated SSO?

Hi Melissa,

I had the same question when my library was considering the jump to federated access.   From my perspective and if I'm understanding correctly, three major issues come to mind:

Even though you'd be authenticating via your institution's Shib to Canarie you'd still need to configure and maintain a local IdP instance for authorization to every SP (vendor or publisher) with whom you want to establish a trusted connection.  OpenAthens maintains almost 500 of these IdP configurations in its resource catalogue so all you have to do is allocate a resource and the connection is established since OpenAthens serves as our IdP.  If one isn't available we simply contact EBSCO support who creates one for us.

A surprising number of publishers still don't support federated access, so for those that still use IP authentication you'd need to continue using EZproxy which means you'd have to maintain, support, and pay for dual authentication systems.  OpenAthens is a turnkey solution since IP-based and federated access are both supported in OpenAthens.

This may be deemed a lesser issue, but typically Shib is maintained by your campus' IT shop, so if you're piggybacking on this you'd have to use whatever branding they have in place.  You wouldn't be able to maintain consistent library branding and imagery across your access points, which is important to our patron's user experience.

I hope this helps clarify.  Please feel free to contact me off-list if you'd like more detail.  Best of luck!

Regards,
John

__________________________________
John Felts
Head of Information Technology and Collections University Libraries / Coastal Carolina University
376 University Boulevard
Conway SC 29526
843-349-5040


------------------------------

Message: 4
Date: Tue, 21 May 2024 17:22:08 +0000
From: Electronic Resources in Libraries discussion list
        <eril-l at lists.eril-l.org>
To: ERIL-L listserv <eril-l at lists.eril-l.org>
Subject: [Eril-l] OpenAthens vs campus federated SSO?
Message-ID:
        <mailman.597.1716312135.1238482.eril-l-eril-l.org at lists.eril-l.org>
Content-Type: text/plain; charset="utf-8"

Hi, all.
We use ezproxy generally (self-hosted) but as our campus implemented first Shibboleth and is now moving this summer to Azure, and associated with the big Canadian SAML federation Canarie, we've been finding more and more major library content providers supporting that kind of off-campus "login via your institution", some of which didn't even contact us to configure it, but just got up and running for us from the Canarie service.

In light of that trend, I'm wondering what advantages there still are to using Open Athens (which I've been wanting to get for years but didn't have the budget or systems support for).

If any of you have Open Athens and your campus also provides SSO through that kind of SAML service, can you please tell me what OA is doing for you that makes it still worth the cost?

Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca>  902-566-0581 ORCID iD: 0000-0002-4433-0189 my public calendar<https://outlook.office365.com/owa/calendar/0fbab27c909e4493be65313bd66d66b6@upei.ca/5fa60af92c6d451c9ddf90c0bb11e00f15552192987609852692/calendar.html>
Make an appointment<https://mbelvadi.youcanbook.me/> via YouCanBookMe My pronouns are ????/???????
My emails are sent during the hours that I work and I understand that you will respond during the hours that you work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20240521/41cbb8ce/attachment-0001.htm>

******************************
_______________________________________________
Eril-l mailing list
Eril-l at lists.eril-l.org
http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org

More information about the Eril-l mailing list