Kristina Botyriute

Access to
Online Resources
A Guide for
the Modern Librarian
Access to Online Resources
Kristina Botyriute

Access to Online Resources

A Guide for the Modern Librarian
Kristina Botyriute
Open Athens, Eduserv
Bath, UK

Photographs by Danielle Mac Innes, Edward Borton, Phil Coffman, Kristina Botyriute, Kai Oberhäuser, Pavan Trikutam, Angelika Levshakova, Philipp Berndt,
Antonina Bukowska, Riciardus, Jakob Owens, Margarida C Silva, Clem Onojeghuo, Michał Parzuchowski, Daria Nepriakhina, Anastasia Petrova, Antonio Lapa,
Tim Gouw, Marc Wieland, rawpixel.com, Jessica Furtney, David Marcu and Hand drawn illustrations by leva Botyriute

ISBN 978-3-319-73989-2 ISBN 978-3-319-73990-8 (eBook)

https://doi.org/10.1007/978-3-319-73990-8

Library of Congress Control Number: 2018935111

© The Editor(s) (if applicable) and The Author(s) 2018. This book is an open access publication.
Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits
use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to
the Creative Commons license and indicate if changes were made.
The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is
not included in the book’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain
permission directly from the copyright holder.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such
names are exempt from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the
publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made.
The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Cover Illustration: Front cover photograph by Ashley Batz: Back cover photograph by Jill Heyer

Printed on acid-free paper

This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature.
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Helping you get the most
out oflifeby helping you
get the most out of
technology.
Eduserv
 Introduction IP address recognition
01 04 On and offsite
Remote access: local build s
v
cloud based
Secu rityconsiderations
Key concepts

02 Authenticationand Authorisation

jane and Ben

OS SAML

How itworks
Before we start
... You ...
... and Them
Federation
Key concepts

OpeniD Connect
06 Open Authorisation2.0

03 Web based authentication Open iD Connect

Key concepts
What is HTIP?
HTIP Basic Authentication
Basic Troubleshooting
HTIP D1gest Authentication
HTTP(S) Forms AuthenticatiOn
07 60 second diagnostics
Cook1es! Settingup access
More about cookies ... The fastest
way to gethelp
King and bishop: certificates The End
Key concepts Bibliography

VII
© The Editor(s) (if applicable) and The Author(s) 2018 1
K. Botyriute, Access to Online Resources, https://doi.org/10.1007/978-3-319-73990-8_1
 "Access management is a v e ry comp licated beast",
concluded one ofmy customers at the end ofa lengthy supportcall.
This might indeed renect how many librariansfeelthese days but it
doesn' t need to be! Afterreading thisbook, you willbe able to skillfully
navigate the maze ofonline access management technologiesand
decide what serves your library' sneeds best.
According to Gartner ITGlossary(2012), "identityand access
management (lAM) is the securitydiscipline thatenabled the right
individuals to access the rightresources at the righttimes forthe right
reasons ." Simply put, itis making sure your users are who they say they
are and on ly have access to what you want them to have access to. In
addition to prev e nting u na u thorised partiesfrom exploitingyour
organ isation ' s resources, lAM technologies can h elpmanage
subscriptionsto online resources where cost is based on the number
ofusers accessing protectedcontent.
2
Some publisherscharge forevery single user, in which case you willwant to
make sure you have an up-to-date listofindividuals who need thisresource
as well as ensure appropriatepermissions are in place. This is particularly
relevant to small librarieswhere the budget is lim ited.
As an internationaltechnicalpre-sales consultantforOpe nAthens. I
n s from allover the world. The shee r number of
frequentlyspeak to libraria
techno logies a typical librarian deals with on a dailybasis is astonishing.
Often they are expected to learn-on - the-job, w h ich can be stressful
in a
busy env i ronment especiallyifcommunication between the libraryand IT
department is poor.
The followingchaptersare writtenforkn ow ledge workers who are inv o lved
w ith managing access to digital content online and cannot affordthe time
to read book afterbook oftechnicalmaterialto make sense ofallthe nuts
and boltsthatmake up the lAM. I have covered allthe main concepts in this
book.
3
 j a ne
Monday morning. Electronicresources librarianj a ne makes herselfa
cup ofcoffee.sitsdown at her desk and types in her use rna me and
passwo rd into the login screen. Instantly.
the computer sends these
credentialsto a centralplace- the directory,where allorganisational
accoun ts are listed. The most popu lar ofthese is Microsoft' sActive
Directorybut on a rare occasion you may be dealing with alternat
ives
such as OpenLDAP, Univ e ntions (UCS), ApacheDS or even the futuristic
concep t ofDirectory-as-a-Service.
So what happens when j a ne ' s credentials reach the directory? The server
checks ifj a ne is a registeredu ser and ifthe password is correct. Ifso,
she is authenticatedinto the system.
j a ne ope ns the shared drive to find some reports but accidentallyclicks
on the ' HR ' icon, causing a warning messag e to appear adv i s ing she does
not have permission to access to thisfolder.She then clickson the
' Reports' as initiallyintended and itopens. This is an authorisation
decision in fluenced by a v a riety ofsecuritypolicies in j ane's organisation.
determining specificpermissions for each user or user group.
In the contextofaccessing digitalresources online. authentication and
authorisationmay occur a number of times before users are presented
with the content they are tryingto access.
PO INTS
Authenticat
ion v alidates user' s ide ntity.Who are you?
4
and Ben
Ben is a chemistrystudent who has found an interestingarticleon
ScienceDirect(scienced irect.com). In order to read fullarticle,Ben must
sign into the website. He knows h is university has access to content on
thiswebsite and selectsthe ' Sign in iv a your Institution'option.
The followingsequence ofevents may sound like a long intricate
process but in realityitgets executed in a splitsecond:
First. a form forcredentialsis displayed and as soon as Ben enters h is
details.his organisation authenticates him as a valid user.
Then. Ben s
' institutionpasses a small set ofinformationto
ScienceDirect.This set includes detailsabout Ben as well as his
univ e r sityand is used by the publisherto carryout au thentication
againstthe listofsubscribing organisations.We can think of itas a
second roun d ofthe same process, only now on prov i der ' s end.
Lastly.university is ver ified to have a valid subscription and
authentication is successful,howev e r the articleofinterestis published
in a j o urnal his institu
tion has not yet bought the access to and the
authorisationfails
.
Ben sets offto h is un iv e r sity'slibraryto discuss his options...
Authorisationchecks what permissions the user has. What can you access?
Before we go ahead, we need to make friends with one concept.
A PRO TOCOL is a big scaryword, often used by ITguys to scare
pe ople offso they do n' t hav e to wor k as much (I am j o king. of
course). My personal. ifsomew h atgeeky. opin ion is that
everything bo ilsdown to a protocol.Iwi llexplain.
Essentially.a protocol is a set ofrulesdes igned to make ou r life
easier. The sequence ofevents may vary in length and execution
depen ding on who is doing the shopping b u t the ruleso fthe protocol
enable a clear goal. path and outcome.
What about online shopping? Well, thiswou ld be ASP 2.0

A Shopping Protocol. ASP. Importantthing to note though is thata higher version ofsomething
doe s not always guarantee an improv e ment- somet imes it is j ust
another way ofachieving the same result.
One must walk into a shop. collectitems into a trolley or a
shopping basket and either self-checkoutor go to the till to pay.
With thatin mind, let's go ahead and explore the mos t common
v riation in customers' choice ofitems'
Wh ilstthere may be a
authenticationand authorisationmethods thatprotectthe
container and the method o fcheckou t. ultim atelythe
digitalcontent online today.
procedu re is to collect items, pay and leave. Any other way to
obtain goods from the shop is non-standard and usually
unsupported by law.

5
7
 What is HTTP?
HTIP stands for Hyper Text Transf
e r Protocol. Web based authenticationhas ma ny flavo u rs and what we know
Itis a set ofrules oftransferring files on the World Wide Web. as 'username an d password' uses three ofthem:
When you open your b rowser and typein an add ress, you are
' ET me thisweb page!'. Collaborating w ith a
reallysaying: G
number ofother protocols,HTIPfetchesyou the page and

G
HTTP BASIC
serves itup on the screen. AVTHENTlCATION

GET https:/ l www.google.com/ s earch? q =test >

Requesting information is not the only thing you can do with
thisusefulprotocol.Whilstthere is no need to explore allnine
methods ofHTIP. we w illlook atanother popularone· POST.
What do es it do? Exactlywhat itsays· itallowsyou to send CERTIFICATES

informa tion. The lin k in your browser is the address on an

enve lope and the 'letter' with information is enclosed within.

POST https·ttwww.any_internet_store.com/Logi n > There is a lot more to this sim ple me thod than meets the eye and
we willdelve rightinto what happe ns behind the scenes.

(@=' KEY POINTS

Hyper Text TransferProtocol (H TIP) facilit atescommunication

ofdata on the Wo rld Wide Web
logoniD: username
logonPassword: password GE T is a way to request data

POST is a way to subm it data

8
HTTP Basic Authentication
HTIP Basic Auth entication is the oldest username an d password
authentication method there is. Itdates back to 1989, when Sir Tim
Berners-Lee invented the World Wide We b . Itworks like this:a user
typesin credentialsand from then on theymust be passed to the
website each time the user' s actions resultin a req uest forany new
content to be d isplayed. Remembe r GET? This is it! When content is
protectedby Basic Authen ticationwhenev e r the user clicksto open a
new article, typesin a search query or navigates to a differe
n t area of
the we bsite credentialswillhave to be included in that request. Here is
how thismight look like :
http:/ / u sername:pa ssword @www.example.com
http:/ / e xamp le.com?un= u sername&psw = password
This could get quite inconv e nient ifone was forced to type their
username and password ove r an d ove r again . Instead ofpromp ting for
login every other click, the web browser takes care ofthisby he lpfully
storin g use r's credentialsuntila logout button gets hitor the web
browser win d ow is closed.
Need lessto say. due to it's age HTIP Basic Authen ticationhas maj o r
securityflaws. As you have alreadynoticed, the example links on the left
are passin g the username and password in cleartext.
This au the n ticationmethod su pportsbase64 encod ing too b u t it doesn' t
make itmo re secure as the textcan be decoded in seconds using online
tools. Can you guess w hat is encoded in th is link?
https://example.com?un = dXN icm5hbW U=&psw = cGFz c3dv cmQ =
( Ifyou can' t go to base64decode .org an d copy-paste the values in bold.)
Although most digital pub lish ers opt formore secure me thods to protect
their con tent, some stil
lsupportBasic Authentication. Reasons range from
scarce d evelopme nt resource s to faith in h u man ity.
Fortunatelyforus, thismethod has a distinctpop-up login screen which
w illhelp you iden tifyit-see next page fora real lifeexamp le. Wh ilstI am
not adv o cat ing the id ea. I have seen institutions negotiate lower
subscription pricesupon discovery ofBasic Auth. Oth ers have effectively
encouraged theirprov ider into implementing an alternative authenticatio n
method.
9
 This is a more secure v e rsion ofHTIP Basic Authentication. From user's Upon a (hopefullybrief) encounter with DigestAuthentication. my best
perspective ev e ryth ing looks the same (real life examp le ofBA. as advice is to note what the creatorsthemselves said about the method:
promised):
"The DigestAccess Authenticationscheme is not intended to be a
Authenbc.abon Requwed X

httpc/friowtb.MwSbink.com is requtSCing 'f04If uscrntmt 1nd p1uword. The site wyt; •NfWSS.-nk
complete answer to the need forsecurityin the World Wide Web. This
wowtb·
scheme prov ides no encryption ofmessag e content. The intentis simply
to create an access authenticationmethod thatav o ids the most serious

C•ncd
flawsofBasic Authentication." (Leach et al., 1999)

The only differencewith DigestAuthenticationis that the password will

KEYPO INTS
no longer be sent in clearor base64 encoded text.It is now encoded
and hashed. What is a hash? Otherwise known as a message digest, a HTIP Basic Authenticationpasses credentialsw ithin the link. in clearor
hash is a value representing the originalstring. For example: ' password' base64 encoded text
hashed in MDS is ' Sf4dcc3b5aa765d61 d8327deb882cf99 '
HTIP DigestAuthenticationhashes the password w ith MDS

MDS (Message Digest 5) is the default algorithmused forHTIP Digest base64 can be decoded using tools freelyavailable on line

Au then tication. Problem? MDS can be cracked in a blink.

MDS is the defaultalgorithm used forHTIP DA. This algorithmwas first
.co.uk cracked the abov e
hashkiller example in 104 milliseconds. cracked in 1996 and cons idered u nsu itable foruse since 201 0

10
 HTTP(S) Forms Authentication
This method submits user name and password to the server by power
ofPOST. (Think ofan enve lope with a letterinside). It does so in clear
text.howev e r itis most common ly used with HTIPS foradded security.
(Think ofan envelope with a magic seal on top).
What is HTIPS? Hyper Text TransferProtocolSecure. You know it's in
use when you see this:
Forms authenticationis incrediblypopularand is the most widely
adopted v a riant ofusername and password authentication.
POST as a method is more secure than GET: itwillnever pass data in
the address ba r, itwillnot be cached or remain in the browse r history.
Still,itcan be read ifinterceptedun less used in conj u nction with
HTIPS. To illustrate
the process, Iwillattemptto access MAG Online
Library. POST to: https:/ / w ww.magonlinelibrary.com/ a ction/ d ologin
............
login: test
password: password
signin: Sign In
Username and Password do not match.
The result is an error message, as expected. Shou ld my cre d entialsh ave
matched the records on publisher's end, the code on the we bs ite would have
changed to contain my username and password in the login form. This would
then be used to redirectme to the post-login screen, print ' Hello, Test' and
potentially load my personal profile forthiswebsite.
HTIPS forms authenticationis a much betterway to co nne ctind ivid u al users
to protected co ntentthan Basic or DigestAuthentication.For one, the login
form willlook an d behave as d esired by the creatorwhi lstthe other two
leave u s stuckwith a pop·up box an d an uglyerror401 when thingsgo
south. Many publishers supportforms auth enticationas an option for
indivi du alsubscriberswh ilst institut
ional users are oftenen couraged to use
federated access, covered late r in this book.
(01 @=' KEY POINTS
...
POST http:/ / w ww.example.com/ a uth.php- more secure than GET bu t
data can be read ifinterceptedby man in the mid dle attack
POST https:/ / w ww.example.com/ a uth.php- most secure: credentialsare
en coded and th erefore useless if captured.
11
 Cookies!
"By continuing to use thissiteyou consent to the use ofcook ies on your dev i ce as described in
our cookie policy unless you hav e disabled them . You can change you r cookie settingsat an y
tim e but partsofour sitewilln ot functioncorrectly
Also known as HTIP entityauthentication,cookies are differentfrom
username and password driven recognition. Much like real cookies,
digitalones also enhance the qualityoflife·or in particular,user
expe rience on the web. As I'm sure you willagree, we would struggle
to finda website thatdoes no t make use ofcookies in thisday and
age. So, what is thiscookie?
A cookie is a small piece oftextthatstoresinformation about your
interactionwith a website. Ifyou clicked on the cook ie policyhyperlink
displayed at the top ofthispage, you wou ld have
in the notification
been taken to one ofthe nicestcookie policyexplanation pages I've
come across so far.Not allpublishersgo into troub le ofexplaining
themselves in such detailand thereforeitis worth familiarising
with
how cookies work. According to Wr ight Freedman and Liu (2008) "in
contradictionto the claim thatno information is sent from your
computer to anybody outside your system, the maj o rity ofcookies are
interactive (thatis, the information is no t only writtento them but also
read from them by the web servers you connect to)."
12
without them" ( ft.com)
Sess ion cookies will 'go out ofdate' as soon as the browser is closed
or the session time is up. This means thatifmy aunt Marywas
shopping forgroceries forher Sunday roastand had a cartfullof
goodies, one unfortunate clickon th e red X at the top ofthe browser
would render her cartempty when she nav igates back to the site.
Such an event wou ld likelycause her some griefand perhaps this is
one ofthe reasons why session cookies are not overly popular
amongst online retailers.What ifthe browser was set to purposely
deny session cookies? My au nt Marywould not be able to add any
potatoes to her cartatall!Websites do not have a memory oftheir
own and so she would be treatedas a new v i sitor every time she
opened a differentpage.
Persistentcookies are eitherstored in "jars" o n your browser or on
your device, in the hard drive. Being plainstrings oftexttheycannot
do anything on their own but are detectable by websites and serve as
reminders ofthe vis itor' s lang uage preference, bookmarks or theme
selection. On rare occasions cookies would store user's credentials
which cou ld resultin auto-login although from a securityperspective
thisis not something thatshould be endorsed.
(@=> KEY POINT
Cookies come in two flav o urs: persistentand session
More about cookies ...

When a cookie is initially set, several very importantparameters are
specified: coo kie' s name. expirydate. doma in, session identifier and path.
NAME: Chocolate Chip Cook ie
EXPIRY DATE: 03/2020
BRAND: Cook ie Company
SESS ION: firstshopping today
PATH: 3rd isle from the left
As you willhave alread y noticed, there is no session identifier.This
means the coo kie we' v e j u st analysed is not a session one. To check,
simplyclose the browser and re-open again - did you see the cookie
message appear at the top? j ust forfun, I checked what else was set
on my browser as soon as I got to th e website. The listturned out to
be quite exten sive, containing bo th session and persistent cookies
(yes, allof those folde rs, not j ust nature.com):
Sci•

There are others, such as a secure parameter, bu t th ey aren't always used.

Let's take a look at how the cookie is set upon clicking ' Accept and Close'
when vis iting natu re.com:

A to you r wtth our and I Morf' mfo. stilt.K..wtbtrmdslrrvt.' .com

POST
cookies: accepced
Set- Cookie: euCoo ki eNo cice=accepced; domain=ww-w . nacu re . cam; (@=> KEY POINTS
pach-/ ; 0 2 Jul 2 01 8 16 : 31 : 07 - 0000 ;

Looks technical? Here's what itallmeans.
euCookieNotice=accepted : acknowledges my acceptance ofcookies
doma in=www .nature.com; means the cook ie will on ly be av lid here
Ifnature.com had an y sub- d oma ins, such as ' x y z.nature.com' then a
separate cookie wou ld have to be set for those
How wo uld we set a coo kie to includ e allsub -doma ins? ' .n ature. co m'
path=/ ; m ea ns the cookie willapply to allpages on thisdomain, not j ust
thisparticular one
expires= Mon, 02J u l 20 18 16 :31 :07 -0000 ; sets cook ie' s lifetime to a year
Cookies can significan tly enhance user ex perience and some use of
them is essential.Presenting users w ith a message thatsign ifies
acceptance o fallcookies on the siteis requ ired by law in many
countries.
Clear your cache and cook ies ifbothered by unsolicited ads (or
installan adv e rt blocking extension).
Check the cookie policy ifnot presented w ith informational
message - itisgood fun and good practiceto know who is
interested in you r activityonline

13
 I am yetto see an online content publisherwho would insiston this The King is now sufficiently
assured ofthe authenticity
ofthisletterand
form o fauthentication.Itis usefulto know nev e rthe lessas you may be proceeds to read it.
using certificates
to access Office365, protectconnection to your work
network over the VPN or even j u st log in to the portalwhere allofyour Suppose the bishop has been demoted · he would then be added to the
digitalresources are listed.Certificate
authenticationcan replace user revocation list and the archbishop would advise the King to not trustany
credentials or be used in conj u nction forincreased security. Winnard correspondence sealed with the demoted bishop's stamp.
et al. (2016) defined the concept in the followingway: "one partyuses a The same would applyifthe bishop's reign in the region has come to an
certificateto identifyitself,the other partymust valida te it.This process end (thiswould unfortunatelymean the bishop has passed away) · the
is referred to as a handshake." archbishop would notifythe King the official
seal has exp ired and shou ld
Atthe risk ofsounding medieva lwhen explaining modern technology, I not be trusted.
willcompare a d igital certificateto an official
seal. confirming to the
King the letteris from the bishop. The b ishop willhav e used his ring to When you are a King. here is how your browser would declare it:
stamp it. then ordered his trusted messenger to deliv e r the letterto the
King. This letteris ofhigh importance and the King needs to be certain 0 There is a problem with this website's S«Urity certificate.
thatthe seal is not forged. What ifsomeone has stolen the bishop' s ring
and went on stamping about? H e refersthe matter to the archbishop
Se<vr,ry certt6c1t• prob1tms a.y M Mttmpt to lool )'OU Of entttctpl .,., datJ you Hnd lO lht
Authority)·a highlyrespected and trustedindividua lwho is
(Certificate .........
in cha rge ofand regularlykeeps in touch with allthe bishops. The
archbishop inspectsthe seal and confirmsit' s validity. He also informs 0 C5d< ....... - .... wobt»go.
O eon>-to th c _ , . ( l > o t . _
the King the sender is alive and we ll. as he has only recentlyattended a
dinner partywith him.

14
Key concepts

HITP
data exchange on the www.
Facilitates
Uses GET to fetchinformation and
POST to send It

0 0 0 0

BASIC DIGEST FORMS

AUTHENTICATION AUTHENTICATION AUTHENT ICATION COOK IES
Passes user Passes MDS hashed Submits user Used to enhance user
credentialsIn the user credentialsIn credentialsdirectly experience, can be
URL In plain or the URL into the code persistentor session
base64 encoded text
0

CERTIFICATES

Helps confirm
authenticityand
trustworthinessof
digitalentities

15
17
 IP address recognition. oftenreferred to as a "tradit
iona l
authenticationmethod", is very o ld. It pre-dates the HTIP Basic
Authentication d iscussed earlier on and goes as farback as 1970s •
the time before the World Wide Web as we know it.Why d id I callit
recognition. no t authentication? Because the elements required to
identifyan individual are missing. Itdeals with authorisation
For each incom ing IP is likely to be monitored For security
The traffic
reasons and to measure usage wh ich may influence the costwhen it
comes to renewal. The setup itself
though is exceptionallystraightforward.
But how do we use th e same method to enable access foruse rs off-site?
The reigning king ofIP-based remote access technologies is a proxy

on lyand works by checking whe ther the traff

ic is coming from a server. Let's use a med ical student. Helen, to illustrate
how thisworks.

known location.For examp le: Ray wants to access the International The deadline is fast approaching and Helen needs to access annals.org

j o urnal ofMetrologyand QualityEngineering. His institution from home to complete her assignment. She logs into the libraryportal

subscribes to itand Ray is accessing from an on-campus computer .
Upon detecting a new connection , metrology-j o urnal.org che cks
Ray's IP add ress againstthe lis tofauthorised IP addresses and
grantsaccess to the content.
where linksto var ious on line resources are listedand clicks on ' Annals of
InternalMedicine' linkwh ich is configured to route the request iv a her
university's proxy server. The proxy changes Helen ' s IP address into one
thathas been pre-agreed to represen t thisinstitutio
n and the publisher
authorises access based on the proxy IP instead of He len ' s real one .

IP recogn ition is w ithout a doubt the most wide ly used method for
institutionalloginsin the o nline publishing industry.This is a v e ry
convenient option thatrequires min imal effort
to set up- a simple
network firewallcan do the j o b. Here is another common scenario: a Lln.k1; to

un iversity is pu rchasin g subscript

ion to an online resource, such as
Annals of InternalMedicine. The range ofun iversity's IP addresses is
specified on the o rder form, the pu b lisheradds them into the
entitlements ' system (or a fir
ewa llaccess list) an d j o b done !

18
Some organisationsliketo keep itallin-house. in particularthose
benefiting from a largeITteam or those thatdo not believe in cloud
technologies. A proxy server is eitherinstalledas a stand-alone entity
on the localnetwo rk or may come as an add-on featureofanother lAM
technology. such as OpenAthens LA. In such a setup, the organisation
takes fullresponsibilityforthe maintenance ofit's own proxy serv e r·
patching.upgrades. resilientarchitecture.everything. When strict
securitypoliciesmust be adhered to but the institutionstill
wishes to
u tilise IP recognition forremote access thisis oftena good cho ice.
Some providers charge per traffic
v o lume or limitnumber of
concurrent sessions. In response to that,some IT teams feelthathaving
a proxy server on -site h elps them mai n taina bettergripon usage
management. EZProxy is an example ofa proxy well-known to
academic libraries. It offerstwo options- locally
installedEZProxy
server or Online Computer LibraryCenter (OCLC) hosted serv ice. Whilst
ideas to create an open source alternat
iev are surfacingdue to the
observed continuous rise in prices forthisservice (Sabol, 2016), the
on ly real alternatives today are Web Access Management (WAM) proxy
or OpenAthens, where a managed proxy serv ice is partofthe package .
@=' K EY
A locallyhosted proxy serv e r willhave to be looked after.
Organ isations thathave implemented this solution commonly have
dedicated member ofstaff
who continuo u slyupdates proxy
configurations.
Hosted proxy services take a lotofstressaway as the prov i der takes care of
allthe upgrades, maintenance and guarantees a high uptime ofthe service.
As with everything. migration from a localinstallation
to hos ted serv ice
requires carefulplanning. Lynne Edgar from Tex as Tech University (TTU)
libraries(2015) has shared the experience ofmigration in the j o u rnal of
ElectronicResources Librarianship, making the followingrecommendation:
"Isuggest other librariesthoroughlyunde rstand theirauthentication process
< ... > w hen implementing a hosted service. < ... > Be sure to ascertainthe
process used to access resources via mobile devices when moving to hosted
EZProxy. Ensure tablets and phones willbe able to access allofyour
electron ic resources formatswhether users are on or offcampus".
Her recommendation to thoroughly understand localauthentication process
is sound and applicablewhichever lAM solution you may be co nsidering. If
you know what systems are in placeand what your user j o urney looks like, a
good supportteam should be able to assistyou with the rest. In TTU Libraries'
case, the process ofmigration has un intentionally stretchedout to seven
months and there was a lossofservice to externalpatrons along the way.
POINTS
Proxy in the cloud takes a lotofwork offyour hands and is much more
a conv e nient than a locallyhosted one . U nde rstand ing ofyour institution's
securitypoliciesas well as existing user j o urney willhelp reduce
disruptionsduring the impleme ntation.
19
 "On average, 58% ofthe IP
ranges held by publishersto
authenticatelibrarieswho
license theircontent are
inaccurate"

PUBLISHER SOLUTIONS INTERNATIONAL, 2017

20
As conv e nient as itmay be, IP recognition has it's Haws. Many
pub lishers code theirwebsites in such a manner as to aid the
researchers in their efforts.
This aid would often take form of
personalisationfeatures,such as ab ilit yto save usefularticles or
advanced search quer ies. compile a listofreferences, share material
w ith fellowresearchers and so on. Allofthisconvenience is
unattainable when IPaddress is used forauthorisation.Why?
Because the IP address does not uniquely identifya user, un less the
user has a staticaddress configured on the device and thatdev ice is
utilisedexclusive ly by thatone user which is a somewhat unlikely
scenario. In fact.it is common practiceto only use one o r two IP
addresses to identifythe whole site! The most a digitalcontent
prov ider can achieve is match the incoming IPaddress to the listof
subscribersand make a remark ofthissomewhere on the website,
such as "Thisresource is prov i de d to you courtesyofHelen's
University".
Something to cons ider: networking reams rarely discuss theirwork
w ith the library(no r would librarians find itinteresting). So whenev e r
institution' sexternaiiPaddress changes, the librarywould be
informed ofthe new one and the old one would be leftto function for
a while to avoid any disruptions.How oftendo we bother to contact
allthe publishersto remove the old IP address? My experience shows
thisis not a common practice as many subscribersget misrecognized
every other day and contactour serv ice desk forhelp.
In addition to being susceptibleto man-in-the-middle attacks,access by
IP recognition has been discovered to suffer from general abuse by
subscribers. PublisherSolu tions International. ltd(2017) have recently
carried out an extensive research and data cleanup exercise where they
have come across numerous instancesofmisuse and license abuse ...
This lead to opening ofth e ipregistry.org- a growing repositoryof
approximately 1.5 billionv a lidated IP addresses from ove r 60,000
organisationsworldwide . These addresses are added and upda ted by
subscribin g institutions themselves, howev e r the benefitis thatthey
on ly have to do thisonce. Participating
publishersare keeping an eye
on thislistand upon detecting changes on theirsubscribers' records,
update theiraccess management systems automatically.
The sitehas j ustgone live but has already been enthusiastically
greeted
by large pub lishers such as Wiley and Camb ridge Unive rsityPress as
well as librarians in the hope they w ill be able to cut down on ma nua l
effort
required to update every prov i der every time one oftheiron-site
or proxy IP addresses change.
£f€r KEY POINT
IP recognition is easy to implement and is somet imes perceive d as the
key element to guarantee anonymity. Itis also a trade-offbe tween
convenience forthe libraryand convenience forthe end user.
21
 Key concepts

IP RECOGNIT ION

Authorisationbased on
the incoming IP address

0 0 0 0

PROXY REMOTE ACCESS THE IPREGISRY .ORG MAN-IN-THE-MIDDLE

ATIACK
Aids remote access by Access from outside A sitewhere institutions
presenting a pre- configured of your institution registertheir IP addresses Eavesdropp ing. Interception
IP address to prov ider used foron-s ite IP ofcommunicat ion between
instead ofthe real one recognition two systems

22
23
 "While itmay seem like no one is
paying attention,internetusers
are startingto realizetheirdata
has av lue. And it's a av lue that
deserves betterthan a password."
JOHN FONTANA , 2017

24
SecurityAssertion Markup Language- SAML ( sam-el) is a well• Consider the followingpictureillustrating
a similarscenario:
established an d mature open standard, designed for the best
possible use r experience with the added benefitofmaxim um
secu rity
. Praised by informationsecurityprofessionals,itpasses
selective information abou t an indivi dual w ithout ever giv i ng out
6 ScienceOired 5
user's credentials! Betteryet. one ofthe main purposes o fthis
protocolis to aid Single Sign On which takes care ofthe headache
.s:j2.. 4. I do. here's my 10. ' .s:j2..
associated with maintaining passwords. Sounds magical? Let's have a 3. Hi there, do you work lorus? - - - - A
look athow itworks.
Rob Hospital

1. Iwant to read thisarticleabout stem cells. I'm from the Hospital.

d wants to wa tch a v ideo on the IET.tv
An engineering studen t E
website. To gain access, he needs to login via his institutionor
registeras an individua l sub scriberand pay the fee. Ed selects the
' Federa tion Login' option. selects to login via UK Federation, picks his
institution from the list.lET then forwardshim to his unv iersity's
login page so he may authenticatehimself.The username and
password are accepted and the university replies directlyto the
publisher with requested informationabo u t this student, confirming
he belongs to the institution and is en titled to access thisresource.
The pub lisher checks the response containswhat theyn ee d to make
an authorisationdecision and if everything matches up - Ed is
granted access to the v i deo ofhis interest. Happy days!
2 . Hospital.do you know thisguy?
3. HI there, do you work forus?
4. I do , here's my 10.
5. Ah yeah, that'sRob . H e works forus.
6 . Hi Rob , nice to meet you! Please proceed to read the article.
Although implementa tion ofSAML requ ires a litt
le more effort
on
publi$her'$ end th<ln HTIP6<!$ic; Authentic;<!tion or IP rec;ogn ition, itdOe$
pay for itself
and is therefore becoming increasinglypopular. especially
where digitalcontent is ofhigh value. Giant publishing houses such as
McGraw -Hill,Oxford Univ e rsity Press and Elsevier were among th e fir st
to adopt SAML authenticationforinstitut
ional subscribers.
KEY POINT SAML authenticationdoes not expose users
credentials, valida ting access based on the selectiv e information passed
in the background instead.

25

The decision to trustsome one is oftenmade base d on what you know
abo ut thatperson . Trustis the key principleofSAML and like in real life.
identityplaysa maj o r part. Similarto a countryissuing passportsto it' s
citizens,you- as an institution-are prov i ding v i rtual identitiesto your
users. Depending on your securityand data protectionpolicies. you will
be collectingcertaininformationabout them, such as name and
surname, email address. position. maybe even home address.
telephone number, date ofbirthand the shoe size! This helps create an
accurate user profile, stamp it w ith a u niq ue username and assign
appropriatepermissions and privileges foreach individua l. In the world
ofSAML, your country is calledan ldP • Identity Prov ider. This is v e ry
important! The identityprov i der is you.
EntityiDis quite an importanteleme nt- much like a countrycode, itcan
make or break the connection. As such, I oftenget asked "what happens to
th e entityiD upon switching from one softwareto another?" The answer is·
nothing needs to happen unless you choose so. Yo u may decide to keep it
exactlythe same and users w illnot know the differenceor change itto
match the n ew software.Changing th e entityiDwillrequire appropriate
notifications
sent to you r users as well as online content providers.
Ok, last bit. Your population has grown and you now have more than one
city.Ifyou are Spain. how do we help route callto Madrid and not
Zaragoza? We use a citycode or scope "madrid.es". Here's how thiswould
look like in a SAML calldirectory:
iD: https://idp.espana.es/metadata
Entity
Scope: madrid.es. zaragoza.es. barcelona.es, va lencia.es, seville.es,
palma.es
And ifyou happen to be Monaco?
Entity
lD: https:/ / i dp.monaco.mc/ m e tadata
Scope: monaco.mc

Now thatyou have a cou ntryto rule, you need a countrycode. Whilst
you woul d expect one to three d igitsin a normal world. Identity a:tf' KEY POINTS

Providers are defined by a unique string ofcharactersthatoftenlook IdentityProv i der or ldP createsv i rtual iden tit
ies forusers. Instit
u tions use

like a web address but isn' t Ou stto confuse you} . It's calledan entity!D. various softwareproducts forthistask: Shibboleth, OpenAthens, ADFS, etc

For example: "https:l/ ip.adamscollege.ed

d u/ e n tity"
might identify
Adams College. An important thing to remember is that itdoesn' t do EntityiDuni quely iden tif
ies each IdentityProvider

anything- ifyou clicked on it. itwou ldn ' t take you anywhe re.
So why the weird notation? Well.. .forone, 'sfghhjkd 1334' is not as easy Scope is the ' p erimete r' ofwhere the user is coming from.

on the eye although itcould serve the pu rpose j u st fine. For example: "maincampus. un ivers ity.com", "overseas.un iversity.com "

26

Service Prov iders are the o ther halfofthe SAML equation. Most
commonly you willknow them as digitalcontent publishers(IEEE, MAG
Online Library,Science Direct)but a service prov ide r can be anyone
enabling theirlogin with thisprotocol. Blackboard, Moodie. Canvas,
EBSCO Discovery , Alma, Office365. Lynda.com, Google allsupportSAML
forSingle Sign On and authentication purposes.
How do publishersrecognise theirsubscribers? They do th is by analysing
an attributesstatement sent to them by the IdentityProvider. This
statement, called SAML assertion, contains information about the
instiwtionand an individual user, based on what you have decided to
release. Consider the followingscenario: Anna is a physicistfrom the USA
who willbe spend ing few weeks in Sw itzerland.collaboratingwith CERN
scientists.In addition to an inv i tation le tter. she must produce evidence
ofher identityand education to obtain her temporary researcher's pass.
When accessing online resources, authorisationdecisions are made in a
similar manner: the publisher matches your attributesstatement to a
certainchecklistand if conditions are met, access willbe granted.
Ifnot - den ied.
The be low is an exce rpt from o n e such attr
ibutes statement:
<•aaJ. M.u.e-••ur-n : o1d: 1 . 3 . 6.1.4 . 1.5923 . 1.1.1 . 9 •
:n&&e:s: cc: S.A."fi. :4'. 0 :att:naxe•tonc.at: :url. •
>
<aa:l.: At. ne't</ aa=l: At.
</sozU :Att.n.bl.tte>
H.azo.e!'orw.at••ur-n :oesis :n.&Jr.es: tc :.51<.."0.: 2 . :u r1•
>
< ...:al :At-trib:JttVal•..:e>t r-i.st ina . botyriuteled.userv. o:q. uk< / ta:ll : At::: UnlttVelue>
<laaal : A.u.rl.bU.t.e>
This is XML so itdoesn' t look prettybut I bet you can still
make out my work
email address and member av lue forscope "ps.openathens.net"
As digitalprivacy is one ofthe maj o r concerns today. your ldP software
sh ould allowyou to fine- tune any user relatedattributesyou wish to release
or withhold. Such fine- tuning can he lp achieve the magic combination of
security,anonimity and personalisation allat the same time.
Great! We now know about ldP. SP. entityiD.scope and attributes-ju st
unde rstandin g thisterminology can he lplook good in a technical
conversation. The key to itallhowev e r , the glue thatmakes itallwor k is the
metadata. Metadata is informationabout information. Or data about data.
Not j u st any data though- a decriptiv e one. Any SAML participanthas a
metadata filethatcontains their entityiD,scope, attributes,login endpoints
and other relevant things.As mentioned before. the key concept ofSAML is
mutua ltrustand itcan be establishedby exchanging the metadata.
POINTS
Service Prov ide r means anyone thatrelies on SAML attributesstatement to
make authorisationdecisions
A metadata is a descriptive filedefining each SAML participantan d prov i d ing
the necessary information to establishmutual trust
27
 A federationis a collective ofldPsand SPs thathave agreed to trusteach
other. Remember the meta data from the previous page? One ofthe rules
thatdefine trustand interactionin the federationis an aggregation of
information about allpartiesinto a large XML file.This is where Identity
Providers and Service Providers wou ld enlisttheirmeta data filesto make
the secure communication easier. I have come to think ofitas a priv a te
scientists'partyas most federations were established to unite educational
bodies ofeach country. Each has it's own rules ofacceptance: to j o in The
UK Access Management Federation for Educa tion and Research the ldP
organisation must be an educational or research body based in the
United Kingdom. lnCommon acceptsmembers from the US h igher
education, resea rch organisations, or sponsored partnersofhigher
education members. Most federations have geographical restrictions
with
OpenAthens currentlybeing the only global federation thatis not limited
to academic institutions (but we could see thatchange). At the time of
writing there are 51 liv e federations known to REFEDS - the Research and
Education Federations group. with further16 more in a pilotstage.
Federations v a ry in size and affordability.
For example, membership in UK
Federation is freewhilstAAF - AustralianAccess Federation charges $8436
j o ining fee plus $8581 per annum (Aaf.edu.au. 2017).
28
Finnish Haka federationcomprises ofSO mem bers whilstlnCommon in the
USA boasts a growing community of944 participants
(lncommon. o rg,
2017). Due to geograph icalrestrictions
however. you may no t have much
choice unless you live in Texas, USA. Texas has three federatio ns ofit's own
and is eligible to j o in lnCommo n as well as the OpenAthens federation . So
why would you want to j o in a federation? Why not j u st go ahead and create a
bunch ofone ·to·one connections?
First,thiswould be too cumbersome foreveryone involved. Itis much easier
fora service prov i der to retriev e records from a big file on the web (or a local
copy ofthisfile-eev n faster
!) than to create an in-house records' system to
store each organisation's meta data. Furthermore, such a system would have
to be continuously updated in case the IdentityProvider chances something•
a login point forexample. For you as an institution the benefitsinclude hav ing
allthe informationabout your prov i ders in one place and securityassurances.
You can expect a certainstandard ofservice througho ut the federationand
depend ing on the ldP softwarein use, completelyeliminate the need to
involve your technicalstaff
when enabling access to online resources.
KEY POINT j o ining a federation can dramaticallyreduce the
eff
o rt req u ired to connect users to your digitalsubscriptions
• PLOT O"' S

• PROOUC IO N =E O ER ATI0\ 5 REFEDS , 2017

29
 Key concepts

SAML
SecurityAssertionMarkup Language.
An open standard des igned to aid
secu re Sing le Sign On

0 0 0 0

IDENTITY PROV IDER (IDP) SERVICE PROVIDER (SP) ENTITYiD SCOPE

Creates and manages Makes authorisation Un ique ly identif
ies Specifieswhich partof
v irtualidentities decisions based on the SAML SAM L participants: IdentityProv i der ' s system
attributesstatement received SPsand ldPs the user is coming from
from the ldP

0 0 0

FEDERATION METADATA ATIRiBUTES STATEMENT

A collectiv e ofldPs Descriptiv e data Se lectiv e information
and SPs thattrust defining ev e ry SAML abo ut the use r ldP
each other participant releases to SP

30
31
 Open Authorisation(OAuth) is SAML' s little sister.It's latest v e rsion•
OAuth 2.0 was released in May 2010 and is yetto fulfil
it' s potential
th ough itis fastgaining popularityamong mobile application
developers . An importantobservation to make- as the name suggests,
OAuth deals with authorisation.not authenticationas itis designed to
he lp one applicationaccess another application'sdata.
You may be familiarwith this:
Scopus to ORCID
-
wdl r.ce.ve thee meu-ee uk,ng for your
authonutoon toallowScop14 to acceu your
ORCID re(:Ord CliCk on ' A uthonze.'
You may have also seen similarprompts when downloading
applicationsfrom Google Playo r Apple's App Store. As partofthe
authorisationframework. the applicationwillask foryour permission to
access your data from another application.This would sometimes only
happen once and other times you would be prompted more frequently.
Afterclicking 'Authorize' or A
' llow ' , the app thatpopped the q u estion
32
willsend an authorisationcode to the app thatrequested access. In our
example itwillbe ORCID grantingaccess to your data to Scopus. The
authorisationcode can be compared to a bank cheque - on it' s own it's a
worthlesspiece ofpaper but when you take it to the bank you may exchange
itto real money. Some cheques are av lid fora month, three or six months
but authorisationcode's lifetimeis normallyminutes and seconds. So the
receiver must go and cash it in quick to obtain the access token (money) in
return. This access token willallow itto go to the shop - ORC ID - and access
informationabout the u ser fora certainperiod oftime - ie shop untilthe
money runs out! Somet imes money runs out reallyquick but some apps are
more generous than others and write big cheques. Facebook, forinstance.
willallowapps to access your data for60 days.
The process is simp le, so not surprising lythe protocolwas well-received and
quicklyadopted. Itwas soon noticed howev e r thatOAuth 2.0 was be ing
misused forauthentication wh ich itwas ne ev r designed to perform. A range
ofsecurityissues were discovered, most ofwh ich are now well documented
and available on the World Wide Web. The famous "Signin g into One Billion
Mobile App Accounts Effor
tlessly
with OAuth 2.0 " by Yang, Lau and U u (2017)
is an astonishingexamp le ofour inclineto trusttechno logy and perhaps a
nu dge to nurture our inq uisitive natu re a little
bitmore.
In 2014. a self-proclaimed"league ofbackstabbing competitors"(Leszcz.
2017) developed OpeniD Connect. also known as OIDC- a protocolthat
adds an authenticationlayeron top ofOAuth 2.0. mak ing itmore secure
as well as facilitating
superior user experience. The protocolwas first
adopted by it' s creators:Google, Microsoft
and Ping Identity,then by
other technologygiantssuch as Amazon. IBM. Forge Rock and PayPal.
Big names sound encouraging but what does itactuallydo and why
would you want to know about it?
Although currentlibrarytechnologies are in no imminent danger to be
taken ov e r by OpeniD Connect implementations, itis rapidlygaining
audience and ifallgoes we llitmight j u st replace SAML in a decade or
so. You may alreadybe using applicationsthatpromote this
authenticationmethod. forexample. to access MyDay by Collabco.
Moodie. Office365or Open edX. There is also another reason why I
want you to know about OIDC. When choosing between two VLE
systems or two student platformsor even between several access
options when subscribing to an online resou rce. the one thatsupports
Open iD Connect shou ld win againstthe one thaton ly does OAuth.
OAuth 1.0 or OAuth 2.0
Even ifit' sj ust from securityperspective; even ifj u st foryou .
Remember the access token -rea l money - thatScopus used to access your
data from ORCID? In a scenario where only OAuth 2.0 is used, Scopu s has no
way ofknowing whether you are still
logged into ORCID so itcan keep on
shopping untilthe money runs out (access token exp ires). When Open iD
Connect is at playhowev e r . Scopus would receive an ID token togetherwith
the access token. In other words, a photocopy ofyour passportin addition to
money. In addition to usefulpersonal information such as name and
surname which willhelp the app prov i de a betterservice, the photocopy w ill
contain a time stamp allo w ing it' sv a lidity to expire as well as proofthatyou
are definitelylogged in. ID tokens can be signed. encrypted and otherwise
secured to a high standard which is another great featureofOpeniD
Connect.
!@=> KEY POINTS
OAuth 2 .0 deals with authorisationonly, OpeniD Connect adds an
identity layerto itmaking secure authenticationpossible.
Think "app to app" communication rather than "app to user" or "user to
prov i der". Implemen tationofthisauthentication method willnormally
require some dev e lopment effort.
33
 Key concepts

0 0 0

OPE N AUTHORISATIO N AU THORISATION CODE ACCESS TOKE N

App toapp Obtained in exchange to

Time sensitiv e token,
authorisationprotocol authorisationcode. Grants
generated when user
clicks' Allow' upon access to your data
request

0 0

OPE NID CONNECT ID TOKEN

Identitylaye r on top of OpeniD Connect e lement that

OAuth 2.0 enables authenticationand
authorisationprotocol substantially Increases access
security

34
35
 60 second diagnostics

START
, Authentication error. Check user account is
,....---- NO- nice
' valid and has correct permissions.

t - - - - - NO - system error Contact the vendor of the system if external

(..___ _ _ _ _ _ (e.g. OpenAthens, Ping. Onelogin) and your IT
Clickthe lin k team if internal (e.g. ADFS. Shibboleth)

IP authentication not configured.

Contact the publisher.

YES
YES

4 The link is incorrect or out-of-date.

Amend the link or contact the owner of the site.
Check your subscription.
Contact the publisher.

36
Resource access issues can sometimes be caused by an incomplete
setup. Ifyou have used the "60 seconds diagnostics" flowchartand
ended up on "Contact the publisher" suggestion, thisis probably
why. Let' s have a look atwhat providers need from you to
successfully enable access foryour organ isation.
Access by... username and password.
Avoid ifpossible. Nothing is required from you to set thisup: the
publisherwillprovide you credentialsthatyou willbe asked to
share within your institutionand users willtake it from there.
Access iv a ... IP recognition.
Send the publisher the range ofyour externalon-site IP addresses.
Ifyou are using proxy to facilitate
remo te access, add your proxy IP
as well, advising thatthisis a proxy IP (they willsee much more
trafficfrom thisaddress and may decide to b lock itifnot notified
otherwise}. When prov i ding on-site IP addresses, make sure they
do not startwith 10.*,172.16.* to 172.31.* or 192.168 .* as these
addresses are private, mea n t forinternaluse only. Your
networking team will have set up a translation protocol thatturns
these internaladdresses into one or more external IPswhich is
what the publisher wi ll be interested in.
Access via ... SAML authentication.
Ifyour institution be longs to a SAML federation. providers willprobably
only requ ire your entityiDand scope to enable access. Very few would
ask forparticular attributes· such as emai laddress or a specificstringof
charactersto be passed to them as partofthe attributes statement. One
thing to bear in mind though (this comes up very often): pub lishers will
often referto federated access as "Shibboleth". Shibbole th is a popular
open source softwareused to aid SAM L au thenticationwhich many
digitalcontent providers are familiarwith. It was so popu larin the ea rly
days of SAML thatthe name became synonymous w ith itand funny
enough. some would have never heard of the protocol but wou ld
recognize the sound ofShibboleth. Don ' t let this confuse you ·whoev e r
su pportsShibboleth willbe capable o fsettingup SAML authenticatio n
foryou.
Ifyou are looking to make one -to-one SAML connection to an application
such as Moodie or Blackboard, instructionsw illusuallybe provided. Ifin
doubt. the principle is the same as with the federated access· metadata
exchange. You willneed to prov i de your metadata file to the requesting
partyand obtain theirs. then add theirsto your system and they willadd
yours.
j o b done!
37
 Access disrupted. phone is ringing offthe hook wh ile the service desk
people on the other end (publisher. softwarevendor. IT team) are
taking theirtime? Very stressf u l, very frustratingand it's not your
fault!Having had the priv ilege to be in the role o fthe outraged
customer representing institutionalinterestsas well as a support
analystforsuch outraged customers I have observed few things that
he lp speed up the resolu tion time- every time.
1. Try to identifythe root cause of the issue if at allpossible. Use
the flowchart from "60 seconds diagn ostics" to get an idea o fwhat
may have gone wrong. This stepwilleithersave you a lotoftime or
at the very leastreduce the likelihoodofhearing it's someone else' s
problem.
2. Pick up the phone . Really.This is an obvious one but you would be
surprised how rarelypeop le do it! Ifyou are looking forquick results.
opt fora callratherthan email. I willagree with you ifyou have j u st
thought to yourselfitis impossible to find online publisher's help
desk n umbers. Online forms and email addresses thatsend
automatic "we willget back to you within the next 24 hours to 5
working days" repliesmakes theirlife easier, helps manage the
workload and so on. However ifyour institutionhas go t an aud it in
the next few hours or access to the resource you have based your
presen tation on is not working ... I callit mission critical.
38
Can't find the number forthe help desk? Calltheirsales team or ifyou
have one - your sales representative. I guarantee they willpass you
through to the technicalteam or get them to callyou back. (Sound
distressed!)
3. Email screenshots and steps to reproduce the issue. This is j u st as
essentialas getting help desk ' s attentionin the first place. Un less you
are affectedby a service-w ide issue o r it' s a well-known bug. the
techn icalteam willnot know preciselywhat is wrong. One thing I have
learnt is thatthere are millionways to get to the same error message.
Tellthem exac tly what you clicked on. w here it took you and attachthe
screenshot ofthe error message that followed. Ifat allpossible,
prov ide testcredentials.
4. Confirm the person dea ling with your issue. A name and help
desk ' s number is a greatstart·sometimes jus t knowing your special
helper' s name inspiresgreaterresponsibility. Ifallelse fails, you can at
least encourage accountability.
On the other end of the scale are super-helpfulworkers who willnot
hesitateto prov i de you with their personal work email address or
d irectdial. This is amaz ing when dea ling with an ongo ing emergency.
however ifyou want this specialattentionwhen the next disaster
strikes.betternot put the poor guy on speed dial fornot so urgent
issu es.
You'ev made it!
With promising proj e cts we llunder way Lastly,I hope thisshortread willhave made
I sincerelythank you foryour time.
we may finally be able to comb ine your access management lessofa maze and
The world ofidentityand access
securitywith usability. more a walk in the park.
management is vast and growing fast
but so lit tleofitaffectshow we access Librariansare gettingv e ry savy
v

online resources today. working with allthe different,

I am excited to see new technologies sometimes even incompatible, systems Yours truly,

seep into the libraryand enrich the they are presented w ith. I hope this
way people experience knowledge. won ' t be necessary forlong. Kristina

39
Bibliography
Aaf.edu.au. (2017). AustralianAccess Federation. [ o nl ine] Leach. P.. Franks. j., Luotonen. A., Hallam-Baker. P., Lawrence. S.. Hostetler.j .
Ava ilable at: https:/ / a af.edu.au/ p rice A
[ ccessed 10 j u l. 2017]. and Stewart. L. (2017). RFC 2617- HTIPAuthentication:Basic and Digest
Access Authentication.[online) Too ls.ietf.org
. Availab le at:
Edgar, L. (2015). EZproxy: Migrating From a Local Server to a https:/ / t ools.ietf.org/ h tml/r fc2617 A
[ ccessed 11 j u l. 2017].
Hosted Environment. j o urna lofElectronicResources
Librarianship, 27(3), pp.194-199. Leszcz, M. (2017). The Foundat ion ofInternetIdentityI OpeniD. [ o n line]
Openid.net. Ava ilab le at: http:l/ o penid.net/ 2 016/ 0 9/ 2 7/ t he-fou n dation-of•
Fontana, j . (2017). Hacks battered IT optim ism in 2016; can 2017 internet-identity[ Accessed 11 j u l. 2017 ) .
enrich defenses 1 ZDNet. [on line] ZDNet. Ava ilable at:
http:/ / w ww.zdnet.com/ a rticle/ h acks-battered-it-optimism-in- Pub lisher So lutions International2{ 017). The IP Registry-The Globa iiP
2016-can-2017-enrich-defenses [ ccessed 9 j u l. 2017].
A Address Database. [on line] Theipregistry.org.Availab le at:
http:/ / t heipregistry.orgA
[ ccessed 11 j u l. 2017].
Ft.com. (2017). FinancialTimes. [ o nline] Avai lab le at:
https:/f t.com [ Accessed 9 j u l. 2017]. REFEDS (2017). Federations Map. [image] Ava ilableat:
https:/ / r efeds.org/ f ederations/ f ederations-map A
[ ccessed 11 j u l. 2017 ) .
Gartner ITG lossary. (2017). IdentityManagement- Access
Management- Gartner Research. [online) Availab le at: Winnard, K., Bussche, M., Choi, W. and Ross i, D. (2016). Managing Digital
https:/ / r esearch.gartner.com/definition-whatis-identity-access• Certificates
across the Enterprise.S
[ .I.]: IBM Redbooks, p.16.
management A
[ ccessed 11 j u l. 2017].
Wright. C., Freedman, B. and Liu, D. (2008). The ITregu latoryand standards
lncommon .org. (2017).1nCommon Participants.[ o nline] Ava ilable compl iance handbook. Burlington, MA: Syngress Pub., pp.522-523 .
[ ccessed 10 j u l.
at: https:/ / w ww.incommon.org/ p artic ipants A
2017). Yang. R .. Lau. W. and Liu. T. (2017). Sign ing into One BillionMob ile App
Accounts Effort
lessly with 0Auth2.0. [ebook) Avai lable at:
Leach, P., Franks, j ., Luotonen, A., Hallam-Baker, P., Lawrence, S., https:/ / w ww.blackhat.com/ d ocs/ e u-16/ m aterials/ e u-16- Yang-Signing-lnto•
Hostetler,j . and Stewart, L. (2017). RFC 2617- HTIP Billion-Mobile-Apps-Effortlessly-With-0Auth20-wp.pdf
A
[ ccessed 11 j u l.
Authentication:Basic and DigestAccess Authentication. [ o nline] 2017).
Too ls.ietf.org.Availab le at: https:/ / t ools.ietf.org/ h tml/ r fc2617
A
[ ccessed 11 j u l. 2017].

© The Editor(s) (if applicable) and The Author(s) 2018 41

K. Botyriute, Access to Online Resources, https://doi.org/10.1007/978-3-319-73990-8
Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),
which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s)
and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to
the material. If material is not included in the book’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the
permitted use, you will need to obtain permission directly from the copyright holder.

42