Access to online library resources can be quite complex. Patrons normally have easy access when signed on to a campus network but when working from other locations — as modern work patterns often demand — the same patrons are increasingly asked to ‘log in to their institution’. This process can release identifying information.
Known as federated authentication, delivering Single Sign On (SSO), this process, if not configured correctly, is at odds with the responsibility of libraries to protect their patrons’ privacy.
In order to preserve patron privacy, while also making the configuration and management of federated SSO connections easier for both libraries and publishers, LIBER’s FIM4L Working Group has drafted 10 Implementation Principles for SSO.
The principles drafted by the group are now open for public comment.
In the guidelines, we refer to three parties typically involved in SSO access to online library resources:
- The patron – the person seeking access to content
- The service provider – the organization granting access
- An identity provider – the patron’s home organisation, which authenticates their identity and releases attributes to the service provider to check if the patron is genuinely allowed access.
Recommendations for Attribute Release
Our draft guidelines recommend three configurations libraries can choose for release of authentication attributes to service providers:
- An identifier that changes with every visit to a service provider. This ensures maximum privacy but means personalised features can’t be offered and misconduct is difficult to trace.
- A persistent pseudonymous identifier that is generated for each service provider and is used on each return visit. Returning patrons can be recognized and access personalised features but their real identity can stay private if they choose so. If a patron wants to add personal information to their user profile, that should be entirely optional and be offered after the patron has signed in. Patrons should also be able to opt-out of personalised features.
- Additional non-identifiable Information. Information passed from the identity provider should only be released if necessary and should be generic (e.g., “X patron is a student at X institution”).
Share Your Thoughts
Please read our full draft guidelines and share feedback by 31 May. Your comments will help us create a final set of recommendations which libraries can use to give patrons seamless access while preserving privacy as much as possible.