Access, authentication, and authorization

This topic is for discussion “Access, authentication, and authorization.” To go back to this session in Sched, click here.

There was some great discussion firing off in that after-meeting Zoom - I think there were all sorts of positions being questioned, defended, just some I remember:

• The idea that a user-centred approach is king and the Uni or library should not deny capabilities to students or teachers or researchersin the name of protecting the user (and how SAML may be able to provide consent to the individual with this legitimate interest)

• The idea of a data passport - under whose juristiction or authority - central or delegated? The university as a membership org, the government, the third-party or publisher?

• The potential disintermediation of colleges where a third party has such computing power and personalisation and ID-providing capacity (e.g. Microsoft / LinkedIn) that it becomes a primary identity for access to resources and the primary lifelong learning affiliation for the individual citizen (which is what a Uni alumni membership has been, traditionally)

-The question of whether personalisation is a good, per se (where is it a good - where is it a bad, clearly there are examples of both), and the notion of incentives to (and capacities for) personalisation in the context of the commercial attention market (e.g. Netflix) vs the ‘marketplace’ of ideas and attention within a learning experience at a University.

• The idea that Open Access is the answer to all of this and more in the interest of the user than federated access and its complications (though the question of services ontop of OA complicates this - how?)

• The role of federations and the possible introduction of model contract language that simplifies negotiations for budget holders

…
I’d personally be delighted to chat to anyone about any of these questions, at any point, here or in the wonderful 8-bit networking environment or anywhere else possible, it’s fascinating and there’s bound to be so many more solutions than problems, surely? :))

(ps sorry for typing over people in that Zoom chat, there was about 5 discussions and questions being asked at any one time, and I missed a lot of what was being said in between typing / listening / questioning, hence trying to disentangle it now).

Recognizing that this question takes the conversation a giant step backwards – I need resources about a stop-gap fix for off-campus use of VPN. We increasingly receive troubleshooting tickets from users that have an IPv6 network connection and our VPN/campus IPs are set with IPv4 addresses. Can VPNs (Pulse Secure) be “upgraded” to read IPv6 and transfer back to campus IPv4 for authentication? I’m lost in the technology, products, and protocols, (even as your program points out-probably not even able to come up with common terminology between E-Resources Management and Library IT) to find a fix for this problem. Currently its a 1-2 day process to realize that IPv6 conflict is the problem. Another day to have library IT override the VPN for user. The other day a course assigned reading resulted in multiple tickets, with this problem impacting the faculty member as well as several students. I was hoping today’s program would point to an easier solution to leave the VPN behind!

Hi @Michelle,

‘I need resources about a stop-gap fix for off-campus use of VPN’ whilst I myself don’t have a huge amount of experience in running a VPN, I can offer some pointers to your later comment ‘I was hoping today’s program would point to an easier solution to leave the VPN behind!’

There are a huge number of software and service options available to you in your effort to ditch your VPN for remote access to e-resources and online applications.

There are services that continue to lean on IP recognition as the primary authorisation method that service providers (e-resources) use to permit access to their application. IP based services do then usually require users to register separate accounts with each and every service where they want to make use of personalisation services like bookshelves, CME/CPD credits, saved searched etc. Example services would be EZProxy, WAM, HAN.

Then there are services that offer more of a single sign-on experience through federated access and more specifically SAML, as opposed to IP recognition. These services enable secure remote access to a wide variety of products and services. Not only do they enable single sign-on to the content and services on 3rd party platforms, they also enable single sign-on to personalisation features (examples above) without the need to create separate usernames and passwords on each site. Example do it yourself software would include Shibboleth and SimpleSAMLphp, example managed services would include OpenAthens and LibLynx.

Disclaimer: I work for OpenAthens (Jisc) and the options I gave as examples are just to name a few, the ones I personally hear about the most.

Thanks so much for the great information and long-term, definitely want to move university away from IP authentication for e-resources access-with consideration of your suggested options. Until then, do you hear of others having problems specifically caused by IPv6 conflict, which is the hole I’d like to start patching, while our system is still IP based? It scopes the problem (IPv6) as a subset within the IP recognition sphere. In other spheres, our digital AUL is adamant NOT to return to ezproxy, and SAML will take some time to coordinate. Thanks again, I really appreciate your input.

I’m not sure it is a “data passport”—it is like a wallet of credentials. Each credential is signed by the organization issuing it, and the set of them I have represents all of the places where I am a member of a community. Sort of like if PGP signed keys were still a thing, we could use that to verify memberships. (There is a whole bit about how the organization’s signatures would need to be checked and expired as appropriate.) But the individual would have the “wallet” and be able to present it to a service provider to be verified.

@Michelle, Personally I haven’t heard of any issues caused by IPv6 as it just hasn’t really become as prevalent as we assumed it would a few years ago. Even though we all know that IPv4 IPs are finite, for the vast majority of users on the internet, their ISP (internet service provider) still provides them with an IPv4 address and I know of very few that provide an IPv6 address. Clearly this number isn’t zero or you wouldn’t be having issues. At this point I clearly need to leave the floor open and hope others comments on your IPv6 issue.

Personally in these kinds of communities I try to be as non-partisan and as impartial as possible. I will however go into your comment about SAML taking a while to coordinate. Clearly I am likely to be a little biased as this is the space I live and work in every day.

There are so many ways to adopt SAML capabilities (some of which you likely already have e.g. G-suite, Azure, ADFS etc.). Depending on your teams experience in this space something like Shibboleth (other software is available) could take a short, or long time to get setup and running and that is where managed services come in to try to reduce the burden from internal teams.

Managed services like the ones I mentioned previously are available to pretty much handle everything for you and run the IdP (Identity Provider) on your behalf and could get things up and running quicker than you might think. I personally have been known to get everything setup and enabled in less than 3 weeks, and of course this does massively depend on the number of vendors you need to enable access to.

As well as managed services, something I forgot to mention before was, consultancy type organisations that will help get you up and running with your own SAML IdP (e.g. Shibboleth) without you needing to learn and do all the work yourselves. Examples of these orgs include and are by no means limited to 9STAR, Overt, Gluu, and even my parent company Jisc.

Are there any examples of this being piloted or prototyped in university teaching or research? Or any papers or opinion pieces on this idea?

Re. how the organization’s signatures would need to be checked and expired as appropriate, I don’t know what know-how is needed or the technical means, but could it conceivably be something that is done within a university’s existing structure (e.g. IT / Library - the latter has some experience of checking things that expire, at least)?

What I heard decades ago about Shibboleth specifically and identity management in general is probably still true: it is easy for a university to install Shibboleth…what is hard is the months to years of work getting a coherent identity management plan in place to feed into Shibboleth. When do matriculating students get an active id? When are the removed? What if a student isn’t enrolled for a term? How are visiting faculty handled? What happens when one of our faculty goes visiting somewhere else? Emeriti? Who has the definitive list of emeriti and how will that be fed into the identity management system? And we haven’t even gotten to walk-in library patron privileges yet…

Not that I’m aware of, but I only watching of the the outer edges of federated identity management activity. Hopefully someone else here can chime in.

A group called GA4GH (the Global Alliance for Genomics and Health) is investigating the use of passports to streamline access to clinical datasets. ORCID is involved in early stage discussions about whether we can facilitate that use case through the use of validated assertions on ORCID records.

I certainly agree with this. The issue of multiple affiliations within the same institution is another one to add to the list. Our IT team has been working on an ID assigment master system for years (not quite decades, yet), and it seems the ultimate never-ending project.

I wrote an unconscionably long reply on the SeamlessAccess.org board touching on this issue of the internal admin strain, and whether better collaborative use of the standard would help (Seamless Access and Federated Authentication: next steps - #5 by Slothocles). I’d be interested to hear your perspective Peter, if you had time? As with everything, I might be wrong, or missing important considerations (easy to get that way working away as one cog in the IDM system, from home…).