Professional Documents
Culture Documents
Access To Online Resources: Kristina Botyriute
Access To Online Resources: Kristina Botyriute
Access to
Online Resources
A Guide for
the Modern Librarian
Access to Online Resources
Kristina Botyriute
Photographs by Danielle Mac Innes, Edward Borton, Phil Coffman, Kristina Botyriute, Kai Oberhäuser, Pavan Trikutam, Angelika Levshakova, Philipp Berndt,
Antonina Bukowska, Riciardus, Jakob Owens, Margarida C Silva, Clem Onojeghuo, Michał Parzuchowski, Daria Nepriakhina, Anastasia Petrova, Antonio Lapa,
Tim Gouw, Marc Wieland, rawpixel.com, Jessica Furtney, David Marcu and Hand drawn illustrations by leva Botyriute
© The Editor(s) (if applicable) and The Author(s) 2018. This book is an open access publication.
Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits
use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to
the Creative Commons license and indicate if changes were made.
The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is
not included in the book’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain
permission directly from the copyright holder.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such
names are exempt from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the
publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made.
The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Cover Illustration: Front cover photograph by Ashley Batz: Back cover photograph by Jill Heyer
This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature.
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Helping you get the most
out oflifeby helping you
get the most out of
technology.
Eduserv
Introduction IP address recognition
01 04 On and offsite
Remote access: local build s
v
cloud based
Secu rityconsiderations
Key concepts
02 Authenticationand Authorisation
How itworks
Before we start
... You ...
... and Them
Federation
Key concepts
OpeniD Connect
06 Open Authorisation2.0
VII
© The Editor(s) (if applicable) and The Author(s) 2018 1
K. Botyriute, Access to Online Resources, https://doi.org/10.1007/978-3-319-73990-8_1
"Access management is a v e ry comp licated beast", Some publisherscharge forevery single user, in which case you willwant to
concluded one ofmy customers at the end ofa lengthy supportcall. make sure you have an up-to-date listofindividuals who need thisresource
This might indeed renect how many librariansfeelthese days but it as well as ensure appropriatepermissions are in place. This is particularly
doesn' t need to be! Afterreading thisbook, you willbe able to skillfully relevant to small librarieswhere the budget is lim ited.
navigate the maze ofonline access management technologiesand
decide what serves your library' sneeds best. As an internationaltechnicalpre-sales consultantforOpe nAthens. I
n s from allover the world. The shee r number of
frequentlyspeak to libraria
According to Gartner ITGlossary(2012), "identityand access techno logies a typical librarian deals with on a dailybasis is astonishing.
management (lAM) is the securitydiscipline thatenabled the right Often they are expected to learn-on - the-job, w h ich can be stressful
in a
individuals to access the rightresources at the righttimes forthe right busy env i ronment especiallyifcommunication between the libraryand IT
reasons ." Simply put, itis making sure your users are who they say they department is poor.
are and on ly have access to what you want them to have access to. In
addition to prev e nting u na u thorised partiesfrom exploitingyour The followingchaptersare writtenforkn ow ledge workers who are inv o lved
organ isation ' s resources, lAM technologies can h elpmanage w ith managing access to digital content online and cannot affordthe time
subscriptionsto online resources where cost is based on the number to read book afterbook oftechnicalmaterialto make sense ofallthe nuts
and boltsthatmake up the lAM. I have covered allthe main concepts in this
ofusers accessing protectedcontent.
book.
2
3
j a ne and Ben
Monday morning. Electronicresources librarianj a ne makes herselfa Ben is a chemistrystudent who has found an interestingarticleon
cup ofcoffee.sitsdown at her desk and types in her use rna me and ScienceDirect(scienced irect.com). In order to read fullarticle,Ben must
passwo rd into the login screen. Instantly.
the computer sends these sign into the website. He knows h is university has access to content on
credentialsto a centralplace- the directory,where allorganisational thiswebsite and selectsthe ' Sign in iv a your Institution'option.
accoun ts are listed. The most popu lar ofthese is Microsoft' sActive The followingsequence ofevents may sound like a long intricate
Directorybut on a rare occasion you may be dealing with alternat
ives process but in realityitgets executed in a splitsecond:
such as OpenLDAP, Univ e ntions (UCS), ApacheDS or even the futuristic
concep t ofDirectory-as-a-Service. First. a form forcredentialsis displayed and as soon as Ben enters h is
So what happens when j a ne ' s credentials reach the directory? The server details.his organisation authenticates him as a valid user.
checks ifj a ne is a registeredu ser and ifthe password is correct. Ifso,
she is authenticatedinto the system. Then. Ben s
' institutionpasses a small set ofinformationto
ScienceDirect.This set includes detailsabout Ben as well as his
j a ne ope ns the shared drive to find some reports but accidentallyclicks univ e r sityand is used by the publisherto carryout au thentication
on the ' HR ' icon, causing a warning messag e to appear adv i s ing she does againstthe listofsubscribing organisations.We can think of itas a
not have permission to access to thisfolder.She then clickson the second roun d ofthe same process, only now on prov i der ' s end.
' Reports' as initiallyintended and itopens. This is an authorisation
decision in fluenced by a v a riety ofsecuritypolicies in j ane's organisation. Lastly.university is ver ified to have a valid subscription and
determining specificpermissions for each user or user group. authentication is successful,howev e r the articleofinterestis published
in a j o urnal his institu
tion has not yet bought the access to and the
In the contextofaccessing digitalresources online. authentication and authorisationfails
.
authorisationmay occur a number of times before users are presented
with the content they are tryingto access. Ben sets offto h is un iv e r sity'slibraryto discuss his options...
PO INTS
Authenticat
ion v alidates user' s ide ntity.Who are you? Authorisationchecks what permissions the user has. What can you access?
4
Before we go ahead, we need to make friends with one concept. Essentially.a protocol is a set ofrulesdes igned to make ou r life
A PRO TOCOL is a big scaryword, often used by ITguys to scare easier. The sequence ofevents may vary in length and execution
pe ople offso they do n' t hav e to wor k as much (I am j o king. of depen ding on who is doing the shopping b u t the ruleso fthe protocol
course). My personal. ifsomew h atgeeky. opin ion is that enable a clear goal. path and outcome.
everything bo ilsdown to a protocol.Iwi llexplain.
What about online shopping? Well, thiswou ld be ASP 2.0
A Shopping Protocol. ASP. Importantthing to note though is thata higher version ofsomething
doe s not always guarantee an improv e ment- somet imes it is j ust
another way ofachieving the same result.
One must walk into a shop. collectitems into a trolley or a
shopping basket and either self-checkoutor go to the till to pay.
With thatin mind, let's go ahead and explore the mos t common
v riation in customers' choice ofitems'
Wh ilstthere may be a
authenticationand authorisationmethods thatprotectthe
container and the method o fcheckou t. ultim atelythe
digitalcontent online today.
procedu re is to collect items, pay and leave. Any other way to
obtain goods from the shop is non-standard and usually
unsupported by law.
5
7
What is HTTP?
HTIP stands for Hyper Text Transf
e r Protocol. Web based authenticationhas ma ny flavo u rs and what we know
Itis a set ofrules oftransferring files on the World Wide Web. as 'username an d password' uses three ofthem:
When you open your b rowser and typein an add ress, you are
' ET me thisweb page!'. Collaborating w ith a
reallysaying: G
number ofother protocols,HTIPfetchesyou the page and
G
HTTP BASIC
serves itup on the screen. AVTHENTlCATION
POST https·ttwww.any_internet_store.com/Logi n > There is a lot more to this sim ple me thod than meets the eye and
we willdelve rightinto what happe ns behind the scenes.
8
HTTP Basic Authentication
HTIP Basic Auth entication is the oldest username an d password Need lessto say. due to it's age HTIP Basic Authen ticationhas maj o r
authentication method there is. Itdates back to 1989, when Sir Tim securityflaws. As you have alreadynoticed, the example links on the left
Berners-Lee invented the World Wide We b . Itworks like this:a user are passin g the username and password in cleartext.
typesin credentialsand from then on theymust be passed to the This au the n ticationmethod su pportsbase64 encod ing too b u t it doesn' t
website each time the user' s actions resultin a req uest forany new make itmo re secure as the textcan be decoded in seconds using online
content to be d isplayed. Remembe r GET? This is it! When content is tools. Can you guess w hat is encoded in th is link?
9
This is a more secure v e rsion ofHTIP Basic Authentication. From user's Upon a (hopefullybrief) encounter with DigestAuthentication. my best
perspective ev e ryth ing looks the same (real life examp le ofBA. as advice is to note what the creatorsthemselves said about the method:
promised):
"The DigestAccess Authenticationscheme is not intended to be a
Authenbc.abon Requwed X
httpc/friowtb.MwSbink.com is requtSCing 'f04If uscrntmt 1nd p1uword. The site wyt; •NfWSS.-nk
complete answer to the need forsecurityin the World Wide Web. This
wowtb·
scheme prov ides no encryption ofmessag e content. The intentis simply
to create an access authenticationmethod thatav o ids the most serious
C•ncd
flawsofBasic Authentication." (Leach et al., 1999)
MDS (Message Digest 5) is the default algorithmused forHTIP Digest base64 can be decoded using tools freelyavailable on line
10
HTTP(S) Forms Authentication
This method submits user name and password to the server by power Username and Password do not match.
ofPOST. (Think ofan enve lope with a letterinside). It does so in clear The result is an error message, as expected. Shou ld my cre d entialsh ave
text.howev e r itis most common ly used with HTIPS foradded security. matched the records on publisher's end, the code on the we bs ite would have
(Think ofan envelope with a magic seal on top). changed to contain my username and password in the login form. This would
What is HTIPS? Hyper Text TransferProtocolSecure. You know it's in then be used to redirectme to the post-login screen, print ' Hello, Test' and
use when you see this: potentially load my personal profile forthiswebsite.
Forms authenticationis incrediblypopularand is the most widely HTIPS forms authenticationis a much betterway to co nne ctind ivid u al users
adopted v a riant ofusername and password authentication. to protected co ntentthan Basic or DigestAuthentication.For one, the login
POST as a method is more secure than GET: itwillnever pass data in form willlook an d behave as d esired by the creatorwhi lstthe other two
the address ba r, itwillnot be cached or remain in the browse r history. leave u s stuckwith a pop·up box an d an uglyerror401 when thingsgo
Still,itcan be read ifinterceptedun less used in conj u nction with south. Many publishers supportforms auth enticationas an option for
HTIPS. To illustrate
the process, Iwillattemptto access MAG Online indivi du alsubscriberswh ilst institut
ional users are oftenen couraged to use
Library. POST to: https:/ / w ww.magonlinelibrary.com/ a ction/ d ologin federated access, covered late r in this book.
11
Cookies!
"By continuing to use thissiteyou consent to the use ofcook ies on your dev i ce as described in
our cookie policy unless you hav e disabled them . You can change you r cookie settingsat an y
tim e but partsofour sitewilln ot functioncorrectly
without them" ( ft.com)
Also known as HTIP entityauthentication,cookies are differentfrom Sess ion cookies will 'go out ofdate' as soon as the browser is closed
username and password driven recognition. Much like real cookies, or the session time is up. This means thatifmy aunt Marywas
digitalones also enhance the qualityoflife·or in particular,user shopping forgroceries forher Sunday roastand had a cartfullof
expe rience on the web. As I'm sure you willagree, we would struggle goodies, one unfortunate clickon th e red X at the top ofthe browser
to finda website thatdoes no t make use ofcookies in thisday and would render her cartempty when she nav igates back to the site.
age. So, what is thiscookie? Such an event wou ld likelycause her some griefand perhaps this is
one ofthe reasons why session cookies are not overly popular
A cookie is a small piece oftextthatstoresinformation about your amongst online retailers.What ifthe browser was set to purposely
interactionwith a website. Ifyou clicked on the cook ie policyhyperlink deny session cookies? My au nt Marywould not be able to add any
displayed at the top ofthispage, you wou ld have
in the notification potatoes to her cartatall!Websites do not have a memory oftheir
been taken to one ofthe nicestcookie policyexplanation pages I've own and so she would be treatedas a new v i sitor every time she
come across so far.Not allpublishersgo into troub le ofexplaining opened a differentpage.
themselves in such detailand thereforeitis worth familiarising
with
how cookies work. According to Wr ight Freedman and Liu (2008) "in Persistentcookies are eitherstored in "jars" o n your browser or on
contradictionto the claim thatno information is sent from your your device, in the hard drive. Being plainstrings oftexttheycannot
computer to anybody outside your system, the maj o rity ofcookies are do anything on their own but are detectable by websites and serve as
interactive (thatis, the information is no t only writtento them but also reminders ofthe vis itor' s lang uage preference, bookmarks or theme
read from them by the web servers you connect to)." selection. On rare occasions cookies would store user's credentials
which cou ld resultin auto-login although from a securityperspective
thisis not something thatshould be endorsed.
12
More about cookies ...
When a cookie is initially set, several very importantparameters are As you willhave alread y noticed, there is no session identifier.This
specified: coo kie' s name. expirydate. doma in, session identifier and path. means the coo kie we' v e j u st analysed is not a session one. To check,
simplyclose the browser and re-open again - did you see the cookie
message appear at the top? j ust forfun, I checked what else was set
NAME: Chocolate Chip Cook ie on my browser as soon as I got to th e website. The listturned out to
EXPIRY DATE: 03/2020 be quite exten sive, containing bo th session and persistent cookies
BRAND: Cook ie Company (yes, allof those folde rs, not j ust nature.com):
SESS ION: firstshopping today
PATH: 3rd isle from the left Sci•
POST
cookies: accepced
Set- Cookie: euCoo ki eNo cice=accepced; domain=ww-w . nacu re . cam; (@=> KEY POINTS
pach-/ ; 0 2 Jul 2 01 8 16 : 31 : 07 - 0000 ;
Cookies can significan tly enhance user ex perience and some use of
Looks technical? Here's what itallmeans.
them is essential.Presenting users w ith a message thatsign ifies
acceptance o fallcookies on the siteis requ ired by law in many
euCookieNotice=accepted : acknowledges my acceptance ofcookies countries.
doma in=www .nature.com; means the cook ie will on ly be av lid here
Ifnature.com had an y sub- d oma ins, such as ' x y z.nature.com' then a Clear your cache and cook ies ifbothered by unsolicited ads (or
separate cookie wou ld have to be set for those installan adv e rt blocking extension).
How wo uld we set a coo kie to includ e allsub -doma ins? ' .n ature. co m'
path=/ ; m ea ns the cookie willapply to allpages on thisdomain, not j ust Check the cookie policy ifnot presented w ith informational
thisparticular one message - itisgood fun and good practiceto know who is
expires= Mon, 02J u l 20 18 16 :31 :07 -0000 ; sets cook ie' s lifetime to a year interested in you r activityonline
13
I am yetto see an online content publisherwho would insiston this The King is now sufficiently
assured ofthe authenticity
ofthisletterand
form o fauthentication.Itis usefulto know nev e rthe lessas you may be proceeds to read it.
using certificates
to access Office365, protectconnection to your work
network over the VPN or even j u st log in to the portalwhere allofyour Suppose the bishop has been demoted · he would then be added to the
digitalresources are listed.Certificate
authenticationcan replace user revocation list and the archbishop would advise the King to not trustany
credentials or be used in conj u nction forincreased security. Winnard correspondence sealed with the demoted bishop's stamp.
et al. (2016) defined the concept in the followingway: "one partyuses a The same would applyifthe bishop's reign in the region has come to an
certificateto identifyitself,the other partymust valida te it.This process end (thiswould unfortunatelymean the bishop has passed away) · the
is referred to as a handshake." archbishop would notifythe King the official
seal has exp ired and shou ld
Atthe risk ofsounding medieva lwhen explaining modern technology, I not be trusted.
willcompare a d igital certificateto an official
seal. confirming to the
King the letteris from the bishop. The b ishop willhav e used his ring to When you are a King. here is how your browser would declare it:
stamp it. then ordered his trusted messenger to deliv e r the letterto the
King. This letteris ofhigh importance and the King needs to be certain 0 There is a problem with this website's S«Urity certificate.
thatthe seal is not forged. What ifsomeone has stolen the bishop' s ring
and went on stamping about? H e refersthe matter to the archbishop
Se<vr,ry certt6c1t• prob1tms a.y M Mttmpt to lool )'OU Of entttctpl .,., datJ you Hnd lO lht
Authority)·a highlyrespected and trustedindividua lwho is
(Certificate .........
in cha rge ofand regularlykeeps in touch with allthe bishops. The
archbishop inspectsthe seal and confirmsit' s validity. He also informs 0 C5d< ....... - .... wobt»go.
O eon>-to th c _ , . ( l > o t . _
the King the sender is alive and we ll. as he has only recentlyattended a
dinner partywith him.
14
Key concepts
HITP
data exchange on the www.
Facilitates
Uses GET to fetchinformation and
POST to send It
0 0 0 0
CERTIFICATES
Helps confirm
authenticityand
trustworthinessof
digitalentities
15
17
IP address recognition. oftenreferred to as a "tradit
iona l For each incom ing IP is likely to be monitored For security
The traffic
authenticationmethod", is very o ld. It pre-dates the HTIP Basic reasons and to measure usage wh ich may influence the costwhen it
Authentication d iscussed earlier on and goes as farback as 1970s • comes to renewal. The setup itself
though is exceptionallystraightforward.
the time before the World Wide Web as we know it.Why d id I callit But how do we use th e same method to enable access foruse rs off-site?
recognition. no t authentication? Because the elements required to
identifyan individual are missing. Itdeals with authorisation The reigning king ofIP-based remote access technologies is a proxy
known location.For examp le: Ray wants to access the International The deadline is fast approaching and Helen needs to access annals.org
j o urnal ofMetrologyand QualityEngineering. His institution from home to complete her assignment. She logs into the libraryportal
subscribes to itand Ray is accessing from an on-campus computer . where linksto var ious on line resources are listedand clicks on ' Annals of
InternalMedicine' linkwh ich is configured to route the request iv a her
Upon detecting a new connection , metrology-j o urnal.org che cks
university's proxy server. The proxy changes Helen ' s IP address into one
Ray's IP add ress againstthe lis tofauthorised IP addresses and
thathas been pre-agreed to represen t thisinstitutio
n and the publisher
grantsaccess to the content.
authorises access based on the proxy IP instead of He len ' s real one .
IP recogn ition is w ithout a doubt the most wide ly used method for
institutionalloginsin the o nline publishing industry.This is a v e ry
convenient option thatrequires min imal effort
to set up- a simple
network firewallcan do the j o b. Here is another common scenario: a Lln.k1; to
18
Some organisationsliketo keep itallin-house. in particularthose Hosted proxy services take a lotofstressaway as the prov i der takes care of
benefiting from a largeITteam or those thatdo not believe in cloud allthe upgrades, maintenance and guarantees a high uptime ofthe service.
technologies. A proxy server is eitherinstalledas a stand-alone entity As with everything. migration from a localinstallation
to hos ted serv ice
on the localnetwo rk or may come as an add-on featureofanother lAM requires carefulplanning. Lynne Edgar from Tex as Tech University (TTU)
technology. such as OpenAthens LA. In such a setup, the organisation libraries(2015) has shared the experience ofmigration in the j o u rnal of
takes fullresponsibilityforthe maintenance ofit's own proxy serv e r· ElectronicResources Librarianship, making the followingrecommendation:
patching.upgrades. resilientarchitecture.everything. When strict "Isuggest other librariesthoroughlyunde rstand theirauthentication process
securitypoliciesmust be adhered to but the institutionstill
wishes to < ... > w hen implementing a hosted service. < ... > Be sure to ascertainthe
u tilise IP recognition forremote access thisis oftena good cho ice. process used to access resources via mobile devices when moving to hosted
Some providers charge per traffic
v o lume or limitnumber of EZProxy. Ensure tablets and phones willbe able to access allofyour
concurrent sessions. In response to that,some IT teams feelthathaving electron ic resources formatswhether users are on or offcampus".
a proxy server on -site h elps them mai n taina bettergripon usage
management. EZProxy is an example ofa proxy well-known to Her recommendation to thoroughly understand localauthentication process
academic libraries. It offerstwo options- locally
installedEZProxy is sound and applicablewhichever lAM solution you may be co nsidering. If
server or Online Computer LibraryCenter (OCLC) hosted serv ice. Whilst you know what systems are in placeand what your user j o urney looks like, a
ideas to create an open source alternat
iev are surfacingdue to the good supportteam should be able to assistyou with the rest. In TTU Libraries'
observed continuous rise in prices forthisservice (Sabol, 2016), the case, the process ofmigration has un intentionally stretchedout to seven
on ly real alternatives today are Web Access Management (WAM) proxy months and there was a lossofservice to externalpatrons along the way.
or OpenAthens, where a managed proxy serv ice is partofthe package .
@=' K EY POINTS
A locallyhosted proxy serv e r willhave to be looked after. Proxy in the cloud takes a lotofwork offyour hands and is much more
Organ isations thathave implemented this solution commonly have a conv e nient than a locallyhosted one . U nde rstand ing ofyour institution's
dedicated member ofstaff
who continuo u slyupdates proxy securitypoliciesas well as existing user j o urney willhelp reduce
configurations. disruptionsduring the impleme ntation.
19
"On average, 58% ofthe IP
ranges held by publishersto
authenticatelibrarieswho
license theircontent are
inaccurate"
20
As conv e nient as itmay be, IP recognition has it's Haws. Many In addition to being susceptibleto man-in-the-middle attacks,access by
pub lishers code theirwebsites in such a manner as to aid the IP recognition has been discovered to suffer from general abuse by
researchers in their efforts.
This aid would often take form of subscribers. PublisherSolu tions International. ltd(2017) have recently
personalisationfeatures,such as ab ilit yto save usefularticles or carried out an extensive research and data cleanup exercise where they
advanced search quer ies. compile a listofreferences, share material have come across numerous instancesofmisuse and license abuse ...
w ith fellowresearchers and so on. Allofthisconvenience is This lead to opening ofth e ipregistry.org- a growing repositoryof
unattainable when IPaddress is used forauthorisation.Why? approximately 1.5 billionv a lidated IP addresses from ove r 60,000
Because the IP address does not uniquely identifya user, un less the organisationsworldwide . These addresses are added and upda ted by
user has a staticaddress configured on the device and thatdev ice is subscribin g institutions themselves, howev e r the benefitis thatthey
utilisedexclusive ly by thatone user which is a somewhat unlikely on ly have to do thisonce. Participating
publishersare keeping an eye
scenario. In fact.it is common practiceto only use one o r two IP on thislistand upon detecting changes on theirsubscribers' records,
addresses to identifythe whole site! The most a digitalcontent update theiraccess management systems automatically.
prov ider can achieve is match the incoming IPaddress to the listof
The sitehas j ustgone live but has already been enthusiastically
greeted
subscribersand make a remark ofthissomewhere on the website,
by large pub lishers such as Wiley and Camb ridge Unive rsityPress as
such as "Thisresource is prov i de d to you courtesyofHelen's
well as librarians in the hope they w ill be able to cut down on ma nua l
University".
effort
required to update every prov i der every time one oftheiron-site
Something to cons ider: networking reams rarely discuss theirwork or proxy IP addresses change.
w ith the library(no r would librarians find itinteresting). So whenev e r
institution' sexternaiiPaddress changes, the librarywould be
informed ofthe new one and the old one would be leftto function for £f€r KEY POINT
a while to avoid any disruptions.How oftendo we bother to contact IP recognition is easy to implement and is somet imes perceive d as the
allthe publishersto remove the old IP address? My experience shows key element to guarantee anonymity. Itis also a trade-offbe tween
thisis not a common practice as many subscribersget misrecognized convenience forthe libraryand convenience forthe end user.
every other day and contactour serv ice desk forhelp.
21
Key concepts
IP RECOGNIT ION
Authorisationbased on
the incoming IP address
0 0 0 0
22
23
"While itmay seem like no one is
paying attention,internetusers
are startingto realizetheirdata
has av lue. And it's a av lue that
deserves betterthan a password."
JOHN FONTANA , 2017
24
SecurityAssertion Markup Language- SAML ( sam-el) is a well• Consider the followingpictureillustrating
a similarscenario:
established an d mature open standard, designed for the best
possible use r experience with the added benefitofmaxim um
secu rity
. Praised by informationsecurityprofessionals,itpasses
selective information abou t an indivi dual w ithout ever giv i ng out
6 ScienceOired 5
user's credentials! Betteryet. one ofthe main purposes o fthis
protocolis to aid Single Sign On which takes care ofthe headache
.s:j2.. 4. I do. here's my 10. ' .s:j2..
associated with maintaining passwords. Sounds magical? Let's have a 3. Hi there, do you work lorus? - - - - A
look athow itworks.
Rob Hospital
25
EntityiDis quite an importanteleme nt- much like a countrycode, itcan
make or break the connection. As such, I oftenget asked "what happens to
th e entityiD upon switching from one softwareto another?" The answer is·
nothing needs to happen unless you choose so. Yo u may decide to keep it
exactlythe same and users w illnot know the differenceor change itto
match the n ew software.Changing th e entityiDwillrequire appropriate
notifications
sent to you r users as well as online content providers.
The decision to trustsome one is oftenmade base d on what you know
abo ut thatperson . Trustis the key principleofSAML and like in real life. Ok, last bit. Your population has grown and you now have more than one
identityplaysa maj o r part. Similarto a countryissuing passportsto it' s city.Ifyou are Spain. how do we help route callto Madrid and not
citizens,you- as an institution-are prov i ding v i rtual identitiesto your Zaragoza? We use a citycode or scope "madrid.es". Here's how thiswould
users. Depending on your securityand data protectionpolicies. you will look like in a SAML calldirectory:
be collectingcertaininformationabout them, such as name and
surname, email address. position. maybe even home address. iD: https://idp.espana.es/metadata
Entity
telephone number, date ofbirthand the shoe size! This helps create an Scope: madrid.es. zaragoza.es. barcelona.es, va lencia.es, seville.es,
accurate user profile, stamp it w ith a u niq ue username and assign palma.es
appropriatepermissions and privileges foreach individua l. In the world And ifyou happen to be Monaco?
ofSAML, your country is calledan ldP • Identity Prov ider. This is v e ry Entity
lD: https:/ / i dp.monaco.mc/ m e tadata
important! The identityprov i der is you. Scope: monaco.mc
Now thatyou have a cou ntryto rule, you need a countrycode. Whilst
you woul d expect one to three d igitsin a normal world. Identity a:tf' KEY POINTS
Providers are defined by a unique string ofcharactersthatoftenlook IdentityProv i der or ldP createsv i rtual iden tit
ies forusers. Instit
u tions use
like a web address but isn' t Ou stto confuse you} . It's calledan entity!D. various softwareproducts forthistask: Shibboleth, OpenAthens, ADFS, etc
anything- ifyou clicked on it. itwou ldn ' t take you anywhe re.
So why the weird notation? Well.. .forone, 'sfghhjkd 1334' is not as easy Scope is the ' p erimete r' ofwhere the user is coming from.
on the eye although itcould serve the pu rpose j u st fine. For example: "maincampus. un ivers ity.com", "overseas.un iversity.com "
26
The be low is an exce rpt from o n e such attr
ibutes statement:
How do publishersrecognise theirsubscribers? They do th is by analysing conversation. The key to itallhowev e r , the glue thatmakes itallwor k is the
an attributesstatement sent to them by the IdentityProvider. This metadata. Metadata is informationabout information. Or data about data.
Not j u st any data though- a decriptiv e one. Any SAML participanthas a
statement, called SAML assertion, contains information about the
metadata filethatcontains their entityiD,scope, attributes,login endpoints
instiwtionand an individual user, based on what you have decided to
and other relevant things.As mentioned before. the key concept ofSAML is
release. Consider the followingscenario: Anna is a physicistfrom the USA
mutua ltrustand itcan be establishedby exchanging the metadata.
who willbe spend ing few weeks in Sw itzerland.collaboratingwith CERN
scientists.In addition to an inv i tation le tter. she must produce evidence
ofher identityand education to obtain her temporary researcher's pass. POINTS
27
A federationis a collective ofldPsand SPs thathave agreed to trusteach Finnish Haka federationcomprises ofSO mem bers whilstlnCommon in the
other. Remember the meta data from the previous page? One ofthe rules USA boasts a growing community of944 participants
(lncommon. o rg,
thatdefine trustand interactionin the federationis an aggregation of 2017). Due to geograph icalrestrictions
however. you may no t have much
information about allpartiesinto a large XML file.This is where Identity choice unless you live in Texas, USA. Texas has three federatio ns ofit's own
Providers and Service Providers wou ld enlisttheirmeta data filesto make and is eligible to j o in lnCommo n as well as the OpenAthens federation . So
the secure communication easier. I have come to think ofitas a priv a te why would you want to j o in a federation? Why not j u st go ahead and create a
scientists'partyas most federations were established to unite educational bunch ofone ·to·one connections?
bodies ofeach country. Each has it's own rules ofacceptance: to j o in The
UK Access Management Federation for Educa tion and Research the ldP First,thiswould be too cumbersome foreveryone involved. Itis much easier
organisation must be an educational or research body based in the fora service prov i der to retriev e records from a big file on the web (or a local
United Kingdom. lnCommon acceptsmembers from the US h igher copy ofthisfile-eev n faster
!) than to create an in-house records' system to
store each organisation's meta data. Furthermore, such a system would have
education, resea rch organisations, or sponsored partnersofhigher
to be continuously updated in case the IdentityProvider chances something•
education members. Most federations have geographical restrictions
with
a login point forexample. For you as an institution the benefitsinclude hav ing
OpenAthens currentlybeing the only global federation thatis not limited
allthe informationabout your prov i ders in one place and securityassurances.
to academic institutions (but we could see thatchange). At the time of
You can expect a certainstandard ofservice througho ut the federationand
writing there are 51 liv e federations known to REFEDS - the Research and
depend ing on the ldP softwarein use, completelyeliminate the need to
Education Federations group. with further16 more in a pilotstage.
involve your technicalstaff
when enabling access to online resources.
28
• PLOT O"' S
29
Key concepts
SAML
SecurityAssertionMarkup Language.
An open standard des igned to aid
secu re Sing le Sign On
0 0 0 0
0 0 0
30
31
Open Authorisation(OAuth) is SAML' s little sister.It's latest v e rsion• willsend an authorisationcode to the app thatrequested access. In our
OAuth 2.0 was released in May 2010 and is yetto fulfil
it' s potential example itwillbe ORCID grantingaccess to your data to Scopus. The
th ough itis fastgaining popularityamong mobile application authorisationcode can be compared to a bank cheque - on it' s own it's a
developers . An importantobservation to make- as the name suggests, worthlesspiece ofpaper but when you take it to the bank you may exchange
OAuth deals with authorisation.not authenticationas itis designed to itto real money. Some cheques are av lid fora month, three or six months
he lp one applicationaccess another application'sdata. but authorisationcode's lifetimeis normallyminutes and seconds. So the
You may be familiarwith this: receiver must go and cash it in quick to obtain the access token (money) in
return. This access token willallow itto go to the shop - ORC ID - and access
Scopus to ORCID informationabout the u ser fora certainperiod oftime - ie shop untilthe
money runs out! Somet imes money runs out reallyquick but some apps are
-
more generous than others and write big cheques. Facebook, forinstance.
wdl r.ce.ve thee meu-ee uk,ng for your willallowapps to access your data for60 days.
authonutoon toallowScop14 to acceu your
ORCID re(:Ord CliCk on ' A uthonze.'
The process is simp le, so not surprising lythe protocolwas well-received and
You may have also seen similarprompts when downloading quicklyadopted. Itwas soon noticed howev e r thatOAuth 2.0 was be ing
applicationsfrom Google Playo r Apple's App Store. As partofthe misused forauthentication wh ich itwas ne ev r designed to perform. A range
authorisationframework. the applicationwillask foryour permission to ofsecurityissues were discovered, most ofwh ich are now well documented
access your data from another application.This would sometimes only and available on the World Wide Web. The famous "Signin g into One Billion
Mobile App Accounts Effor
tlessly
with OAuth 2.0 " by Yang, Lau and U u (2017)
happen once and other times you would be prompted more frequently.
is an astonishingexamp le ofour inclineto trusttechno logy and perhaps a
Afterclicking 'Authorize' or A
' llow ' , the app thatpopped the q u estion nu dge to nurture our inq uisitive natu re a little
bitmore.
32
In 2014. a self-proclaimed"league ofbackstabbing competitors"(Leszcz. Remember the access token -rea l money - thatScopus used to access your
2017) developed OpeniD Connect. also known as OIDC- a protocolthat data from ORCID? In a scenario where only OAuth 2.0 is used, Scopu s has no
adds an authenticationlayeron top ofOAuth 2.0. mak ing itmore secure way ofknowing whether you are still
logged into ORCID so itcan keep on
as well as facilitating
superior user experience. The protocolwas first shopping untilthe money runs out (access token exp ires). When Open iD
adopted by it' s creators:Google, Microsoft
and Ping Identity,then by Connect is at playhowev e r . Scopus would receive an ID token togetherwith
other technologygiantssuch as Amazon. IBM. Forge Rock and PayPal. the access token. In other words, a photocopy ofyour passportin addition to
Big names sound encouraging but what does itactuallydo and why money. In addition to usefulpersonal information such as name and
would you want to know about it? surname which willhelp the app prov i de a betterservice, the photocopy w ill
contain a time stamp allo w ing it' sv a lidity to expire as well as proofthatyou
Although currentlibrarytechnologies are in no imminent danger to be are definitelylogged in. ID tokens can be signed. encrypted and otherwise
taken ov e r by OpeniD Connect implementations, itis rapidlygaining secured to a high standard which is another great featureofOpeniD
audience and ifallgoes we llitmight j u st replace SAML in a decade or Connect.
so. You may alreadybe using applicationsthatpromote this
authenticationmethod. forexample. to access MyDay by Collabco. !@=> KEY POINTS
Moodie. Office365or Open edX. There is also another reason why I
want you to know about OIDC. When choosing between two VLE OAuth 2 .0 deals with authorisationonly, OpeniD Connect adds an
systems or two student platformsor even between several access identity layerto itmaking secure authenticationpossible.
options when subscribing to an online resou rce. the one thatsupports Think "app to app" communication rather than "app to user" or "user to
Open iD Connect shou ld win againstthe one thaton ly does OAuth.
prov i der". Implemen tationofthisauthentication method willnormally
OAuth 1.0 or OAuth 2.0 require some dev e lopment effort.
Even ifit' sj ust from securityperspective; even ifj u st foryou .
33
Key concepts
0 0 0
0 0
34
35
60 second diagnostics
START
, Authentication error. Check user account is
,....---- NO- nice
' valid and has correct permissions.
YES
YES
36
Resource access issues can sometimes be caused by an incomplete
Access via ... SAML authentication.
setup. Ifyou have used the "60 seconds diagnostics" flowchartand
ended up on "Contact the publisher" suggestion, thisis probably Ifyour institution be longs to a SAML federation. providers willprobably
why. Let' s have a look atwhat providers need from you to only requ ire your entityiDand scope to enable access. Very few would
successfully enable access foryour organ isation. ask forparticular attributes· such as emai laddress or a specificstringof
charactersto be passed to them as partofthe attributes statement. One
Access by... username and password.
thing to bear in mind though (this comes up very often): pub lishers will
Avoid ifpossible. Nothing is required from you to set thisup: the often referto federated access as "Shibboleth". Shibbole th is a popular
publisherwillprovide you credentialsthatyou willbe asked to open source softwareused to aid SAM L au thenticationwhich many
share within your institutionand users willtake it from there. digitalcontent providers are familiarwith. It was so popu larin the ea rly
days of SAML thatthe name became synonymous w ith itand funny
Access iv a ... IP recognition. enough. some would have never heard of the protocol but wou ld
recognize the sound ofShibboleth. Don ' t let this confuse you ·whoev e r
Send the publisher the range ofyour externalon-site IP addresses.
su pportsShibboleth willbe capable o fsettingup SAML authenticatio n
Ifyou are using proxy to facilitate
remo te access, add your proxy IP
foryou.
as well, advising thatthisis a proxy IP (they willsee much more
trafficfrom thisaddress and may decide to b lock itifnot notified Ifyou are looking to make one -to-one SAML connection to an application
otherwise}. When prov i ding on-site IP addresses, make sure they such as Moodie or Blackboard, instructionsw illusuallybe provided. Ifin
do not startwith 10.*,172.16.* to 172.31.* or 192.168 .* as these doubt. the principle is the same as with the federated access· metadata
addresses are private, mea n t forinternaluse only. Your exchange. You willneed to prov i de your metadata file to the requesting
networking team will have set up a translation protocol thatturns partyand obtain theirs. then add theirsto your system and they willadd
these internaladdresses into one or more external IPswhich is yours.
what the publisher wi ll be interested in. j o b done!
37
Access disrupted. phone is ringing offthe hook wh ile the service desk Can't find the number forthe help desk? Calltheirsales team or ifyou
people on the other end (publisher. softwarevendor. IT team) are have one - your sales representative. I guarantee they willpass you
taking theirtime? Very stressf u l, very frustratingand it's not your through to the technicalteam or get them to callyou back. (Sound
fault!Having had the priv ilege to be in the role o fthe outraged distressed!)
customer representing institutionalinterestsas well as a support
3. Email screenshots and steps to reproduce the issue. This is j u st as
analystforsuch outraged customers I have observed few things that
essentialas getting help desk ' s attentionin the first place. Un less you
he lp speed up the resolu tion time- every time.
are affectedby a service-w ide issue o r it' s a well-known bug. the
1. Try to identifythe root cause of the issue if at allpossible. Use techn icalteam willnot know preciselywhat is wrong. One thing I have
the flowchart from "60 seconds diagn ostics" to get an idea o fwhat learnt is thatthere are millionways to get to the same error message.
may have gone wrong. This stepwilleithersave you a lotoftime or Tellthem exac tly what you clicked on. w here it took you and attachthe
at the very leastreduce the likelihoodofhearing it's someone else' s screenshot ofthe error message that followed. Ifat allpossible,
problem. prov ide testcredentials.
2. Pick up the phone . Really.This is an obvious one but you would be 4. Confirm the person dea ling with your issue. A name and help
surprised how rarelypeop le do it! Ifyou are looking forquick results. desk ' s number is a greatstart·sometimes jus t knowing your special
opt fora callratherthan email. I willagree with you ifyou have j u st helper' s name inspiresgreaterresponsibility. Ifallelse fails, you can at
thought to yourselfitis impossible to find online publisher's help least encourage accountability.
desk n umbers. Online forms and email addresses thatsend On the other end of the scale are super-helpfulworkers who willnot
automatic "we willget back to you within the next 24 hours to 5 hesitateto prov i de you with their personal work email address or
working days" repliesmakes theirlife easier, helps manage the d irectdial. This is amaz ing when dea ling with an ongo ing emergency.
workload and so on. However ifyour institutionhas go t an aud it in however ifyou want this specialattentionwhen the next disaster
the next few hours or access to the resource you have based your strikes.betternot put the poor guy on speed dial fornot so urgent
presen tation on is not working ... I callit mission critical. issu es.
38
You'ev made it!
With promising proj e cts we llunder way Lastly,I hope thisshortread willhave made
I sincerelythank you foryour time.
we may finally be able to comb ine your access management lessofa maze and
The world ofidentityand access
securitywith usability. more a walk in the park.
management is vast and growing fast
but so lit tleofitaffectshow we access Librariansare gettingv e ry savy
v
seep into the libraryand enrich the they are presented w ith. I hope this
way people experience knowledge. won ' t be necessary forlong. Kristina
39
Bibliography
Aaf.edu.au. (2017). AustralianAccess Federation. [ o nl ine] Leach. P.. Franks. j., Luotonen. A., Hallam-Baker. P., Lawrence. S.. Hostetler.j .
Ava ilable at: https:/ / a af.edu.au/ p rice A
[ ccessed 10 j u l. 2017]. and Stewart. L. (2017). RFC 2617- HTIPAuthentication:Basic and Digest
Access Authentication.[online) Too ls.ietf.org
. Availab le at:
Edgar, L. (2015). EZproxy: Migrating From a Local Server to a https:/ / t ools.ietf.org/ h tml/r fc2617 A
[ ccessed 11 j u l. 2017].
Hosted Environment. j o urna lofElectronicResources
Librarianship, 27(3), pp.194-199. Leszcz, M. (2017). The Foundat ion ofInternetIdentityI OpeniD. [ o n line]
Openid.net. Ava ilab le at: http:l/ o penid.net/ 2 016/ 0 9/ 2 7/ t he-fou n dation-of•
Fontana, j . (2017). Hacks battered IT optim ism in 2016; can 2017 internet-identity[ Accessed 11 j u l. 2017 ) .
enrich defenses 1 ZDNet. [on line] ZDNet. Ava ilable at:
http:/ / w ww.zdnet.com/ a rticle/ h acks-battered-it-optimism-in- Pub lisher So lutions International2{ 017). The IP Registry-The Globa iiP
2016-can-2017-enrich-defenses [ ccessed 9 j u l. 2017].
A Address Database. [on line] Theipregistry.org.Availab le at:
http:/ / t heipregistry.orgA
[ ccessed 11 j u l. 2017].
Ft.com. (2017). FinancialTimes. [ o nline] Avai lab le at:
https:/f t.com [ Accessed 9 j u l. 2017]. REFEDS (2017). Federations Map. [image] Ava ilableat:
https:/ / r efeds.org/ f ederations/ f ederations-map A
[ ccessed 11 j u l. 2017 ) .
Gartner ITG lossary. (2017). IdentityManagement- Access
Management- Gartner Research. [online) Availab le at: Winnard, K., Bussche, M., Choi, W. and Ross i, D. (2016). Managing Digital
https:/ / r esearch.gartner.com/definition-whatis-identity-access• Certificates
across the Enterprise.S
[ .I.]: IBM Redbooks, p.16.
management A
[ ccessed 11 j u l. 2017].
Wright. C., Freedman, B. and Liu, D. (2008). The ITregu latoryand standards
lncommon .org. (2017).1nCommon Participants.[ o nline] Ava ilable compl iance handbook. Burlington, MA: Syngress Pub., pp.522-523 .
[ ccessed 10 j u l.
at: https:/ / w ww.incommon.org/ p artic ipants A
2017). Yang. R .. Lau. W. and Liu. T. (2017). Sign ing into One BillionMob ile App
Accounts Effort
lessly with 0Auth2.0. [ebook) Avai lable at:
Leach, P., Franks, j ., Luotonen, A., Hallam-Baker, P., Lawrence, S., https:/ / w ww.blackhat.com/ d ocs/ e u-16/ m aterials/ e u-16- Yang-Signing-lnto•
Hostetler,j . and Stewart, L. (2017). RFC 2617- HTIP Billion-Mobile-Apps-Effortlessly-With-0Auth20-wp.pdf
A
[ ccessed 11 j u l.
Authentication:Basic and DigestAccess Authentication. [ o nline] 2017).
Too ls.ietf.org.Availab le at: https:/ / t ools.ietf.org/ h tml/ r fc2617
A
[ ccessed 11 j u l. 2017].
42