Browser developments and IP-address authentication – the impact on research libraries

Many university libraries rely on IP-address-based authentication for accessing their databases and other e-resources. Current developments in browsers to preserve privacy may cause IP address authentication to fail. The developments will also have an impact on federated authentication via SAML. This article gives important information to help libraries prepare for potential disruptions to authentication procedures. 

This blog post is brought to you by the LIBER FIM4L Working Group.  

What changes are planned? 

The main browsers, including Google Chrome and Mozilla Firefox, are taking privacy measures to protect users from tracking.  Two important browser privacy measures are now planned: 

1. Masking of IP addresses
   Effect on libraries: IP-address based access. 

1. Phasing out third-party cookies in the coming years.
   Effect on libraries: federated access.

Masking IP Addresses 

The masking of IP addresses is important for university libraries because many of them rely on IP-address-based access to their databases and other e-resources. 

If browser vendors mask IP addresses for all websites by default, this could have a huge impact on libraries. The Apple Safari browser already supports this functionality, but it must currently be switched on deliberately to make it active. The upcoming Chrome browser version 118 lists:  

“As early as Chrome 118, Chrome may route traffic for some network requests to Google-owned resources through a privacy proxy. This is an early milestone in a larger effort to protect users’ identities by masking their IP address from known cross-site trackers”. (Google Support)

Libraries should therefore be wary of this development and prepare for its introduction. 

If a university provides on-campus access based on IP-address recognition and a person visits a publishers’ website, the publisher normally sees the IP address of the person’s browser and provides access to the licensed content. When the browser hides its IP address, the publisher won’t allow access. 

Proxy servers will not be affected, however. A proxy server therefore may become an important solution for libraries to provide access to e-resources based on IP-address authentication.  

Phasing out third-party cookies 

The potential phasing out of third-party cookies affects federated access (also called Shibboleth or Single Sign-On) based on the SAML standard. The impact on libraries is limited. 

The phasing out will affect mainly the log-out and WAYF functionality, as the browser doesn’t know your “logged-in” status at other websites, causing you to see the login prompt more often.  

Because of the global impact, browser vendors – together with other stakeholders – will care for federated access functionality.  

A new browser API for federated access called FedCM (Federated Credential Management) is being developed by a W3C Working Group, published on GitHub. FedCM is already available in recent Chrome and Edge browsers. When FedCM becomes a default, service and identity providers like universities can enable this API to gain a better user experience for federated access. 

Where can I find out more?

More useful resources can be accessed through: 

• A blogpost by OpenAthens, a Shibboleth provider who is also watching browser developments, including links to more resources: https://www.openathens.net/blog/stay-ahead-of-browser-level-privacy-changes/ (August 23rd, 2023) 
• A presentation by OCLC during their event ‘Myths and Facts about EZproxy, FedCM, and Browser Changes’. With links to more resources: Myths and Facts about EZproxy, FedCM, and Browser Changes (May 23rd, 2023) 

Would you like to keep on top of the latest developments in federated access in research libraries? Join the LIBER FIM4L Working Group today!  

[Photo by Sigmund on Unsplash]