[Eril-l] SSO/SAML and attributes vendors want but maybe don't need? data grab?

Tue Nov 11 06:32:03 PST 2025

As Chandler said, some libraries work with their IAM departments to create a default SSO attribute bundle. The US has its own federation, InCommon, but I'm not sure how many librarians are aware of it, PLUS not all vendors are a part of the federation.

If we collectively decide that we only share a specific attribute bundle a la Cornell, then vendors will have to meet those base expectations.

A key part of pushing back against digital surveillance is understanding which attributes are anonymous, pseudonymous, or personalized, and being able to tell vendor IT that my library can support this attribute, not that one.

Best wishes,
Zhaneille

Zhaneille Green (she/her)

E-Access Librarian

Electronic Resources Access & Discovery

Duke University Libraries

________________________________
From: Eril-l <eril-l-bounces at lists.eril-l.org> on behalf of eril-l-request at lists.eril-l.org <eril-l-request at lists.eril-l.org>
Sent: Monday, November 10, 2025 4:01 PM
To: eril-l at lists.eril-l.org <eril-l at lists.eril-l.org>
Subject: Eril-l Digest, Vol 132, Issue 7

Send Eril-l mailing list submissions to
        eril-l at lists.eril-l.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.eril-l.org%2Flistinfo.cgi%2Feril-l-eril-l.org&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086688926539%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=y6JCWLPKpoh82X4o2xl6wf7GQUiBajx1YTW4ZIINphA%3D&reserved=0<http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org>
or, via email, send a message with subject or body 'help' to
        eril-l-request at lists.eril-l.org

You can reach the person managing the list at
        eril-l-owner at lists.eril-l.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Eril-l digest..."

Today's Topics:

   1. SSO/SAML and attributes vendors want but maybe don't need?
      data grab? (Electronic Resources in Libraries discussion list)
   2. Re: SSO/SAML and attributes vendors want but maybe don't
      need? data grab? (Electronic Resources in Libraries discussion list)
   3. Re: SSO/SAML and attributes vendors want but maybe don't
      need? data grab? (Electronic Resources in Libraries discussion list)
   4. Primary Research Group has published the Survey of Library
      Science Faculty: Developments in Library Science Curriculum, ISBN
      979-8-88517-320-9 (Electronic Resources in Libraries discussion list)

----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Nov 2025 15:37:20 +0000
From: Electronic Resources in Libraries discussion list
        <eril-l at lists.eril-l.org>
To: ERIL-L listserv <eril-l at lists.eril-l.org>
Subject: [Eril-l] SSO/SAML and attributes vendors want but maybe don't
        need? data grab?
Message-ID:
        <mailman.781.1762789079.464760.eril-l-eril-l.org at lists.eril-l.org>
Content-Type: text/plain; charset="utf-8"

Hi, all.

I'm still trying to understand what the vendor movements away from IP authentication and especially for off-campus users mean, and have gotten some help from Gemini.
UPEI belongs to the Canadian Access Federation (CAF), and we use MS Azure as our SSO system for our IdP.

As I understand it, all our vendors need to know about our users is the same as what they knew about them when using ezproxy for off-campus access, which is that this user has authenticated as a UPEI valid user.

According to a sample test I ran, our IdP doesn't send out any specific attributes, but it does tell the service provider that this person is a valid UPEI person and provides a persistent "name" code that is anonymized.

Below is how Gemini explained it:
So, while the service provider learned nothing about your personal identity (not your name, role, or email), it learned everything it needs to know about your institutional context.
By accepting this SAML assertion, the service provider is implicitly saying: "I have received a digitally signed, unforgeable message from the official authentication authority for UPEI, and that authority vouches for the fact that they have successfully authenticated one of their valid users."
This is the core of federated identity: authentication is handled entirely by the home institution. The service provider doesn't need to know who you are, only that UPEI has confirmed you are a legitimate member of its community.

However, almost all of the library providers I have dealt with so far to configure SSO authentication have required us to take extra steps to provide them with more specific "attributes" like "eduPersonScopedAffiliation", and sometimes even PII (personally identifiable information) including first and last name and email address.

The vendor could use that persistent "pseudonym" code allow this specific UPEI user to create whatever kind of personalized account services (eg saving searches) that vendor's platform has.

So it seems to my suspicious mind that our vendors are taking advantage of the move towards SSO to get from us far more user-specific data than they actually need to provide the services we are paying for. They didn't have a problem for decades with providing their content to users who offered nothing more than our Ezproxy server's IP address. But suddenly they "need" PII to provide that same access?

Is anyone/any library organization pushing back on this?  What can we librarians do?  Do we have to work with our IT depts to convince them to get their SAML/SSO providers (like Microsoft for Azure) to include more anonymizing options so we can send fake names and email addresses when our vendors demand them?

I would guess that the European institutions have already been able to solve this, given the GDPR (which we in North America badly need too).  How did you do it? What did you say to the vendors? Are there any "magic words" to get them to admit they don't need all those attributes they are demanding from us?

Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca>  902-566-0581
ORCID iD: 0000-0002-4433-0189
my public calendar<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.office365.com%2Fowa%2Fcalendar%2F0fbab27c909e4493be65313bd66d66b6%40upei.ca%2F5fa60af92c6d451c9ddf90c0bb11e00f15552192987609852692%2Fcalendar.html&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086688957570%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=gmNwbfzZo4cabRcY8%2BMXjT3zfyj1ki4wIm5V%2FrYebo4%3D&reserved=0<https://outlook.office365.com/owa/calendar/0fbab27c909e4493be65313bd66d66b6@upei.ca/5fa60af92c6d451c9ddf90c0bb11e00f15552192987609852692/calendar.html>>
My pronouns are ????/???????
My emails are sent during the hours that I work and I understand that you will respond during the hours that you work.

Make an appointment: Use YouCanBookMe https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmbelvadi.youcanbook.me%2F&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086688975524%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=wKeCbTQKc92nxdSfbtco%2BLvCJg2gbWkK0sx1hxPqAI0%3D&reserved=0<https://mbelvadi.youcanbook.me/>
or for other MS365 / Outlook users, including UPEI people:
[cid:2d397b68-5ac1-4410-9e44-e6b36733a881]<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.office.com%2Fbookwithme%2Fuser%2F0fbab27c909e4493be65313bd66d66b6%40upei.ca%3Fanonymous%26ismsaljsauthenabled%26ep%3DbwmEmailSignature&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086688992214%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xorAc7Mvb%2Fs%2BuQcF%2FUvl0f3D8raudK6nbOIwxym6iGY%3D&reserved=0>
Book time to meet with me<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.office.com%2Fbookwithme%2Fuser%2F0fbab27c909e4493be65313bd66d66b6%40upei.ca%3Fanonymous%26ismsaljsauthenabled%26ep%3DbwmEmailSignature&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086689008178%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6lnSSEgzM2fGnZO5rsJS%2FDm7YvLV6MXuHgBeSEBQBj8%3D&reserved=0<https://outlook.office.com/bookwithme/user/0fbab27c909e4493be65313bd66d66b6@upei.ca?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.eril-l.org%2Fpipermail%2Feril-l-eril-l.org%2Fattachments%2F20251110%2F933c4afc%2Fattachment-0001.htm&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086689024305%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=yhgYq%2BUN6c68j5gVA0ZYL5kTw0lRDcaTEy3gSIAY9FY%3D&reserved=0<http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20251110/933c4afc/attachment-0001.htm>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-2xolgfbd.png
Type: image/png
Size: 528 bytes
Desc: Outlook-2xolgfbd.png
URL: <https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.eril-l.org%2Fpipermail%2Feril-l-eril-l.org%2Fattachments%2F20251110%2F933c4afc%2Fattachment-0001.png&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086689044840%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=vMIeDNkXKiTVqk5MBekzyEIuVXRmxhgZ0EMdoa53qrI%3D&reserved=0<http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20251110/933c4afc/attachment-0001.png>>

------------------------------

Message: 2
Date: Mon, 10 Nov 2025 16:29:04 +0000
From: Electronic Resources in Libraries discussion list
        <eril-l at lists.eril-l.org>
To: Electronic Resources in Libraries discussion list
        <eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] SSO/SAML and attributes vendors want but maybe
        don't need? data grab?
Message-ID:
        <mailman.814.1762792210.464759.eril-l-eril-l.org at lists.eril-l.org>
Content-Type: text/plain; charset="utf-8"

Many library workers do not understand that it is the library/university that controls the SSO attribute set that is released to the vendor. Our Cornell Library default SSO attribute set are these, none of which include name:

EduPersonAffiliation
EduPersonOrgDN
EduPersonEntitlement
EduPersonPrimaryaffiliation
EduPersonScopedAffiliation
transitID

If vendor says they need personal data we push back and ask them why they need it for the service to function. Ideally these negotiations happen before the license is signed.  We have a good working relationship with campus identity management unit. We did a presentation last spring that describes some of our efforts to protect readers.

Raub, Emma, Jesse Koennecke, and Adam Chandler. ?Cookies & PII: Baking: Values into Library Privacy.? Electronic Resources & Libraries 2025, Austin, TX, March 24, 2025. https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhdl.handle.net%2F1813%2F116786&data=05%7C02%7Czhaneille.green%40duke.edu%7Ce2dcbdf2d5ff46fb471f08de20a42e75%7Ccb72c54e4a314d9eb14a1ea36dfac94c%7C0%7C0%7C638984086689065796%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=gk6qolswbAWaWpRgqZjMNjFRWg%2Fkwh3NyESmA2l2%2FlA%3D&reserved=0<https://hdl.handle.net/1813/116786>.

I?m interested in hearing from others about their efforts to resist vendor moves to cash in on surveillance capitalism.

Adam

Adam Chandler
Director, Automation, Assessment, and Post-Cataloging Services
Library Technical Services
Cornell University Library

From: Eril-l <eril-l-bounces at lists.eril-l.org> On Behalf Of Electronic Resources in Libraries discussion list via Eril-l
Sent: Monday, November 10, 2025 10:37 AM
To: ERIL-L listserv <eril-l at lists.eril-l.org>
Subject: [Eril-l] SSO/SAML and attributes vendors want but maybe don't need? data grab?