FIM4L Working Group

FIM4L Working Group Invites Comments on Recommendations for SSO Connections with Publishers

Posted: 02-03-2020

Access to online library resources can be quite complex. Patrons normally have easy access when signed on to a campus network but when working from other locations — as modern work patterns often demand — the same patrons are increasingly asked to ‘log in to their institution’. This process can release identifying information.

Known as federated authentication, delivering Single Sign On (SSO), this process, if not configured correctly, is at odds with the responsibility of libraries to protect their patrons’ privacy.

In order to preserve patron privacy, while also making the configuration and management of federated SSO connections easier for both libraries and publishers, LIBER’s FIM4L Working Group has drafted 10 Implementation Principles for SSO.

The principles drafted by the group are now open for public comment.

Please share your comments on the guidelines. We have set up an online platform for public comment. A PDF of the guidelines is also available, and comments can be emailed to the LIBER Office.

In the guidelines, we refer to three parties typically involved in SSO access to online library resources:

  • The patron – the person seeking access to content
  • The service provider – the organization granting access
  • An identity provider – the patron’s home organisation, which authenticates their identity and releases attributes to the service provider to check if the patron is genuinely allowed access.

Recommendations for Attribute Release

Our draft guidelines recommend three configurations libraries can choose for release of authentication attributes to service providers:

  • An identifier that changes with every visit to a service provider. This ensures maximum privacy but means personalised features can’t be offered and misconduct is difficult to trace.
  • A persistent pseudonymous identifier that is generated for each service provider and is used on each return visit. Returning patrons can be recognized and access personalised features but their real identity can stay private if they choose so. If a patron wants to add personal information to their user profile, that should be entirely optional and be offered after the patron has signed in. Patrons should also be able to opt-out of personalised features.
  • Additional non-identifiable Information. Information passed from the identity provider should only be released if necessary and should be generic (e.g., “X patron is a student at X institution”).

Share Your Thoughts

Please read our full draft  guidelines and share feedback by 31 May. Your comments will help us create a final set of recommendations which libraries can use to give patrons seamless access while preserving privacy as much as possible.

Related news articles