Alumni Authentication…
Explained
Robert Scaysbrook – OpenAthens UK Account Manager
www.eduserv.org.uk/openathens
What are the available solutions for access
management?
1. IP authentication – IP address registered with service
provider
2. Proxy server – Uses IP authentication
3. Publisher issued username & password – Individual or
group login
4. Referrer URL – Issued by publisher, tracks previous
visited website
5. OpenAthens or Shibboleth – SAML (Security Assertion
Mark-up Language) based authentication
Which solutions work best for alumni
authentication?
IP authentication and proxy servers
 Easy/simple to register IP
 Most publishers support
this approach
× Technical overhead (proxy
server)
× No granularity e.g. user
categories
× All users anonymous to
publisher
× Off-site access can be
difficult
× Low-level security
Publisher issued username/password or referrer URL
 Most publishers support
this approach
 Easy/simple to setup
 No technical overhead
× Multiple login details
× Lack of Single Sign-On
(SSO)
× Very low-level security Encourages password
sharing
× Browser incompatibility
(referrer URL)
OpenAthens/Shibboleth
 Most publishers support
this approach
 High-level security –
Industry standard (SAML)
 Granularity down to
individual user
 Pass “Alumni” attribute to
publisher
× Varying technical
overhead
× Not always implemented
the same across
publishers
Ranking
1. OpenAthens/Shibboleth – Most secure, Alumni specific
functionality
2. IP authentication/proxy server – Much less secure,
difficult to configure for Alumni
3. Publisher username/password and referrer URL –
Lowest security, no SSO capability
Challenges
• Federated (SAML) authentication requires publishers to
fully support attribute release
• Shibboleth/OpenAthens LA require Alumni to exist within
Active Directory indefinitely
New Alumni functionality for OpenAthens
• Permissive/restrictive mode • Blocks unauthorized user authentication
• Manage Alumni through permission sets
• Removes reliance on publisher implementation
Conclusions
• Secure authentication for alumni is possible
• The access management community should lobby
publishers to implement the SAML protocol fully – UK
Access Management Federation “town hall” meetings
• Access management needs are changing - software
development should focus on these requirements
Thank you
• Report: Librarians Experiences and Perceptions of
Identity and Access Management:
http://www.eduserv.org.uk/openathensreport2015
• [email protected]
Descargar

Document