Discuto is Loading your document from Drive

It can take a while depending on the size of the document..please wait

Discuto is submitting your document

It might take a while depending on the size of the document you uploaded..

Discuto is creating your discussion

Please do not close this window.

Discuto is submitting your comment

Did you know you can vote on comments? You can also reply directly to people's comments.

Your invites are being queued for sending

This might take some time depending on the number of invites, please do not close this window.

Discuto

Discuto

Federated Identity Management for Libraries (FIM4L) - Draft Guidelines & Recommendations

Starting: 07 Feb Ending

0 days left (ends 31 May)

Access to online library resources can be quite complex. Patrons normally have easy access when signed on to a campus network but when working from other locations — as modern work patterns often demand — the same patrons are increasingly asked to ‘log in to their institution’. This process can release identifying information.

description

Known as federated authentication, delivering Single Sign On (SSO), this process, if not configured correctly, is at odds with the responsibility of libraries to protect their patrons’ privacy.

In order to preserve patron privacy, while also making the configuration and management of federated SSO connections easier for both libraries and publishers, LIBER’s FIM4L Working Group has drafted 10 Implementation Principles for SSO. The principles drafted by the group are now open for public comment.

Please read our full draft  guidelines and share your feedback by 30 April 2020. Your comments will help us create a final set of recommendations which libraries can use to give patrons seamless access while preserving privacy as much as possible. You can comment here or email feedback to liber@kb.nl.

Further info

LATEST ACTIVITY

LEVEL OF AGREEMENT

    • 0%
    • (0 positive votes)
    • 0%
    • (0 negative votes)
  • 0 votes in total
  • Most voted: 0
  • Most commented: 0
  • Most controversial: 0
  • Already decided: 0
  • In voting: 0
  • Supported: 0
  • My contributions: 0

LATEST COMMENTS

MOST ACTIVE USERS

Status: Closed
Privacy: Public

CONTRIBUTORS (10)

Share:
_
<< Previous paragraphs

P18

AARC

Authentication and Authorization for Research Collaborations, Project funded by the European Union’s Horizon 2020 research and innovation programme under Grant Agreements 653965 and 730941. AARC was successful in establishing a Blue Print Architecture for the deployment of FIM technologies in research infrastructures, as well as in establishing guidelines on respective technical and policy matters .

Authentication

The process of verifying the the identity of a user, process or deviceability of a user to access an account, often, but by no means exclusively, use of a username and password.

Authorization

The process of verifying against a set of access controls whether an account is authorized to access a given service or resource.

eduGAIN

eduGAIN enables trustworthy exchange of identity information between federations without many bilateral agreements, reduces the costs of developing and operating services, improves the security and end-user experience of services, enables service providers to greatly expand their user base and enables identity providers to increase the number of services available to their users. Speaking about costs of operating services when a resource provider is updating its metadata it easy to send it to just one federation and then propagate it to eduGAIN instead of having to contact many national federations separately. On the federation side getting updated metadata from eduGAIN has no maintenance costs is undoubtedly an advantage. See AARC and eduGAIN: expanding access to online resources for students, teachers and researchers, How to reach global customers with Federated Identity Management and How to Join eduGAIN as Service Provider for more details.

Federated Authentication

The mechanism by which an identity provider, such as a home organization, indicates to one of more service providers that the user has been authenticated and may be authorized by the service provider to access relevant resources.

Federated Identity

A digital identity which is asserted by one system (an identity provider) which may be consumed by other systems (service providers) by means of federated authentication.

Federation

A federation is an association of organizations that agree to exchange information as appropriate about their users and resources in order to enable collaborations and transactions such as user authentication.

Identity Provider (IdP)

An organization that manages digital identities and issues authentication assertions and potentially other attributes to Service Providers.

Identity Provider (IdP) Persistence

The storage and re-use of a previous IdP choice made during an identity provider discovery process.

IP address-based Authorization

A method where a SP and a home organization have agreed that every request coming from a range of network/Internet Protocol (IP) addresses associated with the home organization should be authorized for the services provided by the SP.

Multilateral Identity Federation

A form of identity federation where a trusted third party registers and publishes all entity metadata to all members, preventing the need for bilateral agreements between an IdP and SP.

REFEDS R&S

The REFEDS Research and Scholarship Entity Category (R&S) has been designed as a simple and scalable way for Identity Providers to release minimal amounts of required personal data to Service Providers serving the Research and Scholarship Community. Candidates for the Research and Scholarship (R&S) category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. Example Service Providers may include collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This entity category should not be used for access to licensed on-line resources as described in the category definition. For more details see REFEDS documentation.

Service Provider (SP)

An organization that makes online resources available to users based in part on information, in particular authentication assertions, from IdPs.

Single Sign On (SSO)

The ability of a user to access multiple discrete systems or sets of resources with a single set of access credentials. This is often achieved by the mechanism of Federated Authentication.

Web Storage[7]

Where web applications can store data locally within the user's browser. Before HTML5, application data had to be stored in cookies, included in every server request. Use of browser local storage prevents sending the data to server with each server calls (which is what cookies do).

IP address-based Authorization

A method where an SP and a home organization have agreed that every request coming from a range of network/Internet Protocol (IP) addresses associated with the home organization should be authorized for the for services provided by the SP.

Security Assertion Markup Language (SAML)[8]

A standards-based approach to federated or single sign-on (SSO) authentication. Many interoperable open source and commercial implementations of SAML are available.

Footnotes

7. Web Storage (Second Edition). World Wide Web Consortium. 19 April 2016. https://www.w3.org/TR/2016/REC-webstorage-20160419

8. https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

 

Add comment

Background

P24

Discussion on Introduction of an Entity Category for Library Services (see the comments for the latest thinking/argument)

Add comment