<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Nirmala UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Roboto;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Many library workers do not understand that it is the library/university that controls the SSO attribute set that is released to the vendor. Our Cornell Library default SSO attribute set are these, none of which include name:
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">EduPersonAffiliation <o:p></o:p></p>
<p class="MsoNormal">EduPersonOrgDN <o:p></o:p></p>
<p class="MsoNormal">EduPersonEntitlement <o:p></o:p></p>
<p class="MsoNormal">EduPersonPrimaryaffiliation <o:p></o:p></p>
<p class="MsoNormal">EduPersonScopedAffiliation <o:p></o:p></p>
<p class="MsoNormal">transitID <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If vendor says they need personal data we push back and ask them why they need it for the service to function. Ideally these negotiations happen
<i>before</i> the license is signed. We have a good working relationship with campus identity management unit. We did a presentation last spring that describes some of our efforts to protect readers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Raub, Emma, Jesse Koennecke, and Adam Chandler. “Cookies & PII: Baking: Values into Library Privacy.” Electronic Resources & Libraries 2025, Austin, TX, March 24, 2025.
<a href="https://hdl.handle.net/1813/116786">https://hdl.handle.net/1813/116786</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m interested in hearing from others about their efforts to resist vendor moves to cash in on surveillance capitalism.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Adam<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Adam Chandler<o:p></o:p></p>
<p class="MsoNormal">Director, Automation, Assessment, and Post-Cataloging Services<o:p></o:p></p>
<p class="MsoNormal">Library Technical Services<o:p></o:p></p>
<p class="MsoNormal">Cornell University Library<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Eril-l <eril-l-bounces@lists.eril-l.org>
<b>On Behalf Of </b>Electronic Resources in Libraries discussion list via Eril-l<br>
<b>Sent:</b> Monday, November 10, 2025 10:37 AM<br>
<b>To:</b> ERIL-L listserv <eril-l@lists.eril-l.org><br>
<b>Subject:</b> [Eril-l] SSO/SAML and attributes vendors want but maybe don't need? data grab?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Hi, all.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">I'm still trying to understand what the vendor movements away from IP authentication and especially for off-campus users mean, and have gotten some help from Gemini.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">UPEI belongs to the Canadian Access Federation (CAF), and we use MS Azure as our SSO system for our IdP.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">As I understand it, all our vendors need to know about our users is the same as what they knew about them when using ezproxy for off-campus access, which is that this user has authenticated
as a UPEI valid user.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">According to a sample test I ran, our IdP doesn't send out any specific attributes, but it does tell the service provider that this person is a valid UPEI person and provides a
persistent "name" code that is anonymized.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Below is how Gemini explained it:<o:p></o:p></span></p>
</div>
<div style="margin-left:30.0pt;margin-bottom:15.0pt;max-width:100%;min-width: 0px">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">So, while the service provider learned
<b>nothing</b> about your personal identity (not your name, role, or email), it learned
<b>everything</b> it needs to know about your institutional context.<o:p></o:p></span></p>
</div>
<div style="margin-left:30.0pt;margin-top:15.0pt;margin-bottom:15.0pt;max-width:100%;min-width: 0px">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">By accepting this SAML assertion, the service provider is implicitly saying: "I have received a digitally signed, unforgeable message from the official authentication authority
for UPEI, and that authority vouches for the fact that they have successfully authenticated one of their valid users."<o:p></o:p></span></p>
</div>
<div style="margin-left:30.0pt;margin-top:15.0pt;max-width:100%;min-width: 0px">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">This is the core of federated identity: authentication is handled entirely by the home institution. The service provider doesn't need to know
<i>who</i> you are, only <i>that</i> UPEI has confirmed you are a legitimate member of its community.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">However, almost all of the library providers I have dealt with so far to configure SSO authentication have required us to take extra steps to provide them with more specific "attributes"
like "eduPersonScopedAffiliation", and sometimes even PII (personally identifiable information) including first and last name and email address.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">The vendor could use that persistent "pseudonym" code allow this specific UPEI user to create whatever kind of personalized account services (eg saving searches) that vendor's platform
has.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">So it seems to my suspicious mind that our vendors are taking advantage of the move towards SSO to get from us far more user-specific data than they actually need to provide the
services we are paying for. They didn't have a problem for decades with providing their content to users who offered nothing more than our Ezproxy server's IP address. But suddenly they "need" PII to provide that same access?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Is anyone/any library organization pushing back on this? What can we librarians do? Do we have to work with our IT depts to convince them to get their SAML/SSO providers (like
Microsoft for Azure) to include more anonymizing options so we can send fake names and email addresses when our vendors demand them?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">I would guess that the European institutions have already been able to solve this, given the GDPR (which we in North America badly need too). How did you do it? What did you say
to the vendors? Are there any "magic words" to get them to admit they don't need all those attributes they are demanding from us?<o:p></o:p></span></p>
</div>
<div id="Signature">
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124;background:white">Melissa Belvadi</span><span style="font-family:"Calibri",sans-serif;color:black">
</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124">Collections Librarian<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124">University of Prince Edward Island<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124"><a href="mailto:mbelvadi@upei.ca">mbelvadi@upei.ca</a> 9</span><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#202124">02-566-0581</span><span style="font-family:"Arial",sans-serif;color:#202124"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#202124">ORCID iD: 0000-0002-4433-0189<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124">my
<a href="https://outlook.office365.com/owa/calendar/0fbab27c909e4493be65313bd66d66b6@upei.ca/5fa60af92c6d451c9ddf90c0bb11e00f15552192987609852692/calendar.html" target="_blank" title="https://outlook.office365.com/owa/calendar/0fbab27c909e4493be65313bd66d66b6@upei.ca/5fa60af92c6d451c9ddf90c0bb11e00f15552192987609852692/calendar.html">
public calendar</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124;background:white">My pronouns are
</span><span style="font-size:10.5pt;font-family:"Nirmala UI",sans-serif;color:#1F1F1F">ಅವರು</span><span style="font-size:10.5pt;font-family:Roboto;color:#1F1F1F">/</span><span style="font-size:10.5pt;font-family:"Nirmala UI",sans-serif;color:#1F1F1F">ಅವರನ್ನು</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124;background:white">My emails are sent during the hours that I work and I understand that you will respond during the hours that you work.</span>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#202124"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;background:white">Make an appointment: Use YouCanBookMe
<a href="https://mbelvadi.youcanbook.me/">https://mbelvadi.youcanbook.me/</a><br>
or for other MS365 / Outlook users, including UPEI people:</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<table class="MsoNormalTable" border="0" cellpadding="0" id="x_x_pbpsiglinktable">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><a href="https://outlook.office.com/bookwithme/user/0fbab27c909e4493be65313bd66d66b6@upei.ca?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature"><span style="text-decoration:none"><img border="0" width="20" height="20" style="width:.2083in;height:.2083in" id="Picture_x0020_1" src="cid:image001.png@01DC5233.B6B5A6C0"></span></a><o:p></o:p></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt">
<div>
<p class="MsoNormal"><span style="color:#0078D4"><a href="https://outlook.office.com/bookwithme/user/0fbab27c909e4493be65313bd66d66b6@upei.ca?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature"><span style="color:#0078D4;text-decoration:none">Book time to meet
with me</span></a><o:p></o:p></span></p>
</div>
</td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>