Phase two of OpenAthens SP evolution including OpenID connect option

www.eduserv.org.uk/openathens

OpenAthens Service ProviderBreakout session 2 for Publishers

9 November 2016

OpenAthens Service Provider as a service

• Phil Leahy (OpenAthens Service Relationship Manager)• David Orrell (OpenAthens System Architect)

OpenAthens for corporate customers

• Our roots are in UK academia and healthcare, plus…• Ministry of Defence• House of Commons Library• Healthcare organisations in the US, Spain & Australia• US Department of Defense

Publisher 1

Publisher 2

Publisher 3

Publisher 4

Banking/finance company

Legal practice

Pharmaceutical company

Petrochemical company

Corporate/publisher relationships

150 other publishers

Other research activity

SAML connection

Other access tools persist

• IP authentication• Publisher-issued credentials• Pre-loading data• Domain-matching

• …but none of them tell you anything about your users

Local authentication tools in OpenAthens

• Shibboleth/SAML• ADFS• LDAP• SirsiDynix• PING Federate• other SAML systems• All of these can use attribute release in OpenAthens

Attribute release in action

• Adam Snook (OpenAthens Technical Pre-Sales)

Resource Access for the 21st century (RA21)

• Joint initiative between NISO and STM Association• Announced at Frankfurt Book Fair• Meetings in London in December• OpenAthens is part of the conversation

1. Authentication: Providing the best possible end-user experience

2. Single Sign-On: Enabling simple SSO within publishing platforms

3. Establishing standards: Driving common standards for interoperability

4. Facilitating discussions: Providing forums for discussion5. Embracing change: Understanding that change is constant

Questions?

www.eduserv.org.uk/openathens

OpenAthens Service Provider9 November 2016

• State of Identity Management and Federated Identity in 2016

• Our plans for OpenAthens SP

Federated identity management

• Adoption continues to grow

“Through 2016, Federated Single Sign-On Will Be the Predominant SSO Technology, Needed by 80 Percent of Enterprises” – Gartner

• New generation of standards are here• OAuth/OpenID Connect

• ...and emerging• UMA (user-managed access)

How well does SAML fit today?

• Mature standard, widely adopted• Many moving parts

• metadata ~10s of megabytes• possibly addressed by MDQ protocol?• ...but SAML is widely deployed by organisations

• Developers at ease working with JSON, REST APIs• consume and integrate cloud services• loosely-coupled and ‘version-less’• micro-services vs monolithic

How well does OpenAthens SP fit today?

• Server modules have limited integration options• servlet-filter, Apache module etc.• difficult to test• may not align well with modern architectures

• Limited APIs

Customer feedback

• Not familiar with concepts of federated identity• Installation and configuration steps unclear• Changes take too long to take effect

• or require contact with Service Desk• Locally installed software required

• prefer to use an API• Integrating with multiple applications is complex

• duplication of configuration and registration• End-user experience inconsistent and confusing

Phase 1

Phase 2

SAML connector

Future OpenAthens SP

Identityprovider

Service Provider

Identityprovider

Identityprovider

App1 App2 App3

SAML

OAuth/OpenID ConnectREST

Multiple applications canshare the same connector

SAML connector availableas a service

DashboardOpenAthens

OpenID Connect

• Identity layer on top of OAuth 2.0• Industry-wide adoption• Developer friendly• Wide variety of clients including JavaScript and mobile• Supports range of deployment scenarios

• Dashboard provides• Configuration• Access to logs• Analytics

• Add additional applications without having to register multiple SAML entities

OpenAthens SP Cloud

Federated login: UX issues!

• One of the most common user complaints!• Users presented with too many options

• “OpenAthens login”• “Shibboleth login”• “Institutional login”• “Choose you federation”• Drop-down lists of organisations• Search for organisation• …

• Users often don’t even understand the question!

Current options for discovery

• By-pass completely (WAYFless URL, OA redirector)• Use a federation discovery service

• Does not work across multiple federations• Does user know their federation?

• Build your own using OpenAthens SP API• Build your own using your own data

Federated discovery as a service?

• A more opinionated approach to discovery UX• Consistent but brand-able via dashboard• Will work out-of-the-box• Delivered via:

• Standalone hosted service• Embeddable JavaScript widget

• REST APIs still available to build your own• Independent of a given federation but will support any

Phase 2 due Q1 2017

Questions?