www.openathens.org

Authentication technology update: OpenAthens

Phil Leahy

Service Relationship Manager

phil.leahy@eduserv.org.uk

www.openathens.org

Coming up

• The access management toolkit

• Security, privacy and personalisation

• What opportunities are new technologies bringing?

• How OpenAthens helps organisations and their content

provider suppliers

www.openathens.org

Helping over 2,200 organisations

in 48 countries, enable access to

hundreds of thousands of journals,

databases and ebooks for over

4 million end users.

www.openathens.org

The access management toolkit

• Vendor-supplied credentials

• Referral URLs

• IP recognition

• Peer-to-peer SAML connections

• Federated access management

www.openathens.org

www.openathens.org

Changing user requirements

• Mobile access

is key

• Personalisation is

expected

• Multiple devices are

used

www.openathens.org

Changing librarian requirements

• More tech services to manage

• Multiple tech services must integrate

• Monitor e-library engagement

www.openathens.org

What is local authentication?

• Uses existing usernames and passwords, typically held

in Active Directory

• Same account used for ‘local’ and external systems

• VLE

• Google Apps / Office 365

• OpenAthens

• Reduces administration

• Reduces user queries

www.openathens.org

Security is paramount

• Authentication within Federations uses SAML

• Data encryption comes as standard

• Individual level accountability

• Permission setting features – easier to comply with

restricted content licences

• Authentication servers monitored for misuse

www.openathens.org

Directory integrations

CAS (Client Access Server)

www.openathens.org

Build against an API

• Log your users into the system based on credentials

stored in any system you can gain programmatic access

to

• Great when you cannot use other connection types

www.openathens.org

Connecting to SAML applications

• OpenAthens can interact with many Apps

• Better overall experience for end users

• ‘True’ single sign-on

www.openathens.org

Integration with SAML applications

www.openathens.org

Is user privacy at risk?

• SAML encrypts data by default…

• …but is that sufficient?

• personalisation requires that content providers know

something about a user…

• …what is acceptable?

3l3dfaspfr96k36vcsj6bjl6r8

https://twitter.com/lisalibrarian/status/927534622799548416

www.openathens.org

Attribute release in OpenAthens

www.openathens.org

• Benefit from SAML without installing it

• OpenAthens Cloud offers the same benefits

• OpenID Connect is the hook…

• …but what is OpenID Connect?

OpenAthens Cloud

www.openathens.org

Federation standards

OpenID Connect

• Web-scale

• Modern, developer-

friendly

• Only implicit trust

SAML

• Enterprise

• Mid-2000s tech, hard to

adopt

• Scalable trust-network

www.openathens.org

OpenAthens Cloud

www.openathens.org

www.openathens.org

OpenAthens Wayfinder:

helping content providers help users

www.openathens.org

New technologies = new opportunities?

www.openathens.org

Google Scholar CASA

“CASA builds on Google Scholar’s Subscriber Links program which provides direct links in the search interface to subscribed collections for on-campus users. With CASA, a researcher can start a literature survey on campus and resume where she left off once she is home, or travelling, with no hoops to jump through. Her subscribed collections are highlighted in Google Scholar searches and she is able to access articles in exactly the same way as on campus.”

Users must access on-campus at least every 30 days to maintain off-campus access.

https://home.heinonline.org/blog/2017/09/casa-en-nuestra-casa-casa-in-our-house/

www.openathens.org

BeyondCorp at Google

• Principles

• Connecting from a particular network must not determine

which services you can access.

• Access to services is granted based on what we know about

you and your device.

• All access to services must be authenticated, authorized and

encrypted.

https://cloud.google.com/beyondcorp/

www.openathens.org

Federation standards

OpenID Connect

• Web-scale

• Modern, developer-

friendly

• Only implicit trust

SAML

• Enterprise

• Mid-2000s tech, hard to

adopt

• Scalable trust-network

Convergence?

www.openathens.org

More information

What does it take to run an access management

federation?

http://bit.ly/2AWSUUz

OpenAthens Cloud uses OpenID Connect

http://bit.ly/2y3pZz6

www.openathens.org

Phil Leahy

OpenAthens Service Relationship Manager

phil.leahy@eduserv.org.uk

+44 (0)1225 474302

Any questions?

What does it take to run an access management

federation?

http://bit.ly/2AWSUUz

OpenAthens Cloud uses OpenID Connect

http://bit.ly/2y3pZz6

ContactsJosh Howlett, Head of trust and identity, Jisc

Josh.Howlett@jisc.ac.uk

Phil Leahy, OpenAthens Service Relationship Manager

phil.leahy@eduserv.org.uk

Tasha Mellins-Cohen, Director of Publishing, Microbiology Society

t.mellins-cohen@microbiologysociety.org

Feel free to e-mail your questions and look out for the slides on

uksg.org/webinars/authentication