Discuto

Javascript is disabled. This site relies heavily on Javascript. Please enable Javscript to be able to use all features this site offers.

Federated Identity Management for Libraries (FIM4L) - Draft Guidelines & Recommendations

ending
31 May

Follow discussion

Description
Discussion

Starting: 07 Feb Ending

0 days left (ends 31 May)

Access to online library resources can be quite complex. Patrons normally have easy access when signed on to a campus network but when working from other locations — as modern work patterns often demand — the same patrons are increasingly asked to ‘log in to their institution’. This process can release identifying information.

see discussion Ends in 0 days

description

Known as federated authentication, delivering Single Sign On (SSO), this process, if not configured correctly, is at odds with the responsibility of libraries to protect their patrons’ privacy.

In order to preserve patron privacy, while also making the configuration and management of federated SSO connections easier for both libraries and publishers, LIBER’s FIM4L Working Group has drafted 10 Implementation Principles for SSO. The principles drafted by the group are now open for public comment.

Please read our full draft guidelines and share your feedback by 30 April 2020. Your comments will help us create a final set of recommendations which libraries can use to give patrons seamless access while preserving privacy as much as possible. You can comment here or email feedback to liber@kb.nl.

Further info

LATEST ACTIVITY

LEVEL OF AGREEMENT

- 0%
- (0 positive votes)
- 0%
- (0 negative votes)
0 votes in total

Most voted: 0
Most commented: 0
Most controversial: 0
Already decided: 0
In voting: 0
Supported: 0
My contributions: 0

MOST DISCUSSED PARAGRAPHS

P6 Principle 3 - eduGAIN has been established a

2 0

P17 ● Apart from the fact that for GDPR pseudony

2 0

P8 B - The publisher requires a persistent but

2 0

P1 Publishers and suppliers of licensed online

1 0

< prev next >

LATEST COMMENTS

Why don't we directly encourage the IdPs to implement a consent page? A user won't see a consent page when they first visit the SP unless the IdP implemented it.

pseudonymous

What is this recommendation based on? ePE and ePSA have a different purpose. If we want them to be used effectively (not requiring bilateral negotiation every time) then we shouldn't be mixing them up like this. Please align the recommendation with REFEDS.

I suppose this means that it is not possible for such user to create personalization or register and save personal features... but that's not really clear.

< prev next >

MOST ACTIVE USERS


	meshna	5	0

Judith Bush

Status: Closed

Privacy: Public

Author: liber@libereurope.org

Contact administrator

CONTRIBUTORS (10)

filter: All Most voted (0) Most comments (0) Controversial (0) Decided (0) In voting (0) Supported (0) My contributions (0)

view:

<< Previous paragraphs

P18

AARC	Authentication and Authorization for Research Collaborations, Project funded by the European Union’s Horizon 2020 research and innovation programme under Grant Agreements 653965 and 730941. AARC was successful in establishing a Blue Print Architecture for the deployment of FIM technologies in research infrastructures, as well as in establishing guidelines on respective technical and policy matters .
Authentication	The process of verifying the the identity of a user, process or deviceability of a user to access an account, often, but by no means exclusively, use of a username and password.
Authorization	The process of verifying against a set of access controls whether an account is authorized to access a given service or resource.
eduGAIN	eduGAIN enables trustworthy exchange of identity information between federations without many bilateral agreements, reduces the costs of developing and operating services, improves the security and end-user experience of services, enables service providers to greatly expand their user base and enables identity providers to increase the number of services available to their users. Speaking about costs of operating services when a resource provider is updating its metadata it easy to send it to just one federation and then propagate it to eduGAIN instead of having to contact many national federations separately. On the federation side getting updated metadata from eduGAIN has no maintenance costs is undoubtedly an advantage. See AARC and eduGAIN: expanding access to online resources for students, teachers and researchers, How to reach global customers with Federated Identity Management and How to Join eduGAIN as Service Provider for more details.
Federated Authentication	The mechanism by which an identity provider, such as a home organization, indicates to one of more service providers that the user has been authenticated and may be authorized by the service provider to access relevant resources.
Federated Identity	A digital identity which is asserted by one system (an identity provider) which may be consumed by other systems (service providers) by means of federated authentication.
Federation	A federation is an association of organizations that agree to exchange information as appropriate about their users and resources in order to enable collaborations and transactions such as user authentication.
Identity Provider (IdP)	An organization that manages digital identities and issues authentication assertions and potentially other attributes to Service Providers.
Identity Provider (IdP) Persistence	The storage and re-use of a previous IdP choice made during an identity provider discovery process.
IP address-based Authorization	A method where a SP and a home organization have agreed that every request coming from a range of network/Internet Protocol (IP) addresses associated with the home organization should be authorized for the services provided by the SP.
Multilateral Identity Federation	A form of identity federation where a trusted third party registers and publishes all entity metadata to all members, preventing the need for bilateral agreements between an IdP and SP.
REFEDS R&S	The REFEDS Research and Scholarship Entity Category (R&S) has been designed as a simple and scalable way for Identity Providers to release minimal amounts of required personal data to Service Providers serving the Research and Scholarship Community. Candidates for the Research and Scholarship (R&S) category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. Example Service Providers may include collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This entity category should not be used for access to licensed on-line resources as described in the category definition. For more details see REFEDS documentation.
Service Provider (SP)	An organization that makes online resources available to users based in part on information, in particular authentication assertions, from IdPs.
Single Sign On (SSO)	The ability of a user to access multiple discrete systems or sets of resources with a single set of access credentials. This is often achieved by the mechanism of Federated Authentication.
Web Storage[7]	Where web applications can store data locally within the user's browser. Before HTML5, application data had to be stored in cookies, included in every server request. Use of browser local storage prevents sending the data to server with each server calls (which is what cookies do).
IP address-based Authorization	A method where an SP and a home organization have agreed that every request coming from a range of network/Internet Protocol (IP) addresses associated with the home organization should be authorized for the for services provided by the SP.
Security Assertion Markup Language (SAML)[8]	A standards-based approach to federated or single sign-on (SSO) authentication. Many interoperable open source and commercial implementations of SAML are available.