Libraries have long used IP-based access to grant access to online publisher resources. However, several developments mean this access model is no longer sufficient:
- Users increasingly require access from ‘any location’;
- Libraries and publishers want more granular control over access to target abuse (only block the abusing user instead of the whole library or institution);
- Libraries want more control to allow access for only certain groups or faculties when access for everyone is not an option (e.g., for discipline-specific resources). This allows for smarter (cheaper) contracts.
- Publishers want to be able to offer a more personalized experience to users;
- Libraries and users find VPN technology to be time-consuming and complex.
In order to solve this, most parties have agreed that federated authentication with Single Sign-On (SSO) is the way forward. Using SSO, a user logs in with an identity that allows an institution to testify whether he/she has a certain relationship with them. This is expressed in the form of attributes, which can be used to check whether someone should be allowed access. However, there are still a number of issues that stand in the way of widespread adoption of SSO:
- For publishers and libraries:
- It is complex and expensive when publishers and libraries need to negotiate each and every time about what attributes to release.
- Misunderstanding, miscommunication, and/or misconfiguration:
- Some libraries are unfamiliar with the options federated technology offers for combining easy, secure access while preserving privacy.
- Providers of attributes sometimes don’t release the correct set or correct values, causing problems in accessing resources.
- Service Providers sometimes request more attributes than necessary/providers sometimes (agree to) release more attributes than strictly necessary, hurting the privacy of the user.
- The way federated authentication is offered by the various publishers differs greatly.
- This results in confusion for end-users.
- There are many different situations:
- Some publishers want to receive none or hardly any personal data, while in some cases parties agree that their specific scenario requires some extra attributes to be released. Guidance on common scenarios and what to do could help.
All of the above can lead to challenges for libraries when considering what their policy should be and can also lead to various discussions and delays in the contractual phase.