www.eduserv.org.uk/ openathens OpenAthens Service Provider Breakout session 2 for Publishers 9 November 2016
Jan 19, 2017
www.eduserv.org.uk/openathens
OpenAthens Service ProviderBreakout session 2 for Publishers
9 November 2016
OpenAthens Service Provider as a service
• Phil Leahy (OpenAthens Service Relationship Manager)• David Orrell (OpenAthens System Architect)
OpenAthens for corporate customers
• Our roots are in UK academia and healthcare, plus…• Ministry of Defence• House of Commons Library• Healthcare organisations in the US, Spain & Australia• US Department of Defense
Publisher 1
Publisher 2
Publisher 3
Publisher 4
Banking/finance company
Legal practice
Pharmaceutical company
Petrochemical company
Corporate/publisher relationships
150 other publishers
Other research activity
SAML connection
Other access tools persist
• IP authentication• Publisher-issued credentials• Pre-loading data• Domain-matching
• …but none of them tell you anything about your users
Local authentication tools in OpenAthens
• Shibboleth/SAML• ADFS• LDAP• SirsiDynix• PING Federate• other SAML systems• All of these can use attribute release in OpenAthens
Attribute release in action
• Adam Snook (OpenAthens Technical Pre-Sales)
Resource Access for the 21st century (RA21)
• Joint initiative between NISO and STM Association• Announced at Frankfurt Book Fair• Meetings in London in December• OpenAthens is part of the conversation
1. Authentication: Providing the best possible end-user experience
2. Single Sign-On: Enabling simple SSO within publishing platforms
3. Establishing standards: Driving common standards for interoperability
4. Facilitating discussions: Providing forums for discussion5. Embracing change: Understanding that change is constant
Questions?
www.eduserv.org.uk/openathens
OpenAthens Service Provider9 November 2016
• State of Identity Management and Federated Identity in 2016
• Our plans for OpenAthens SP
Federated identity management
• Adoption continues to grow
“Through 2016, Federated Single Sign-On Will Be the Predominant SSO Technology, Needed by 80 Percent of Enterprises” – Gartner
• New generation of standards are here• OAuth/OpenID Connect
• ...and emerging• UMA (user-managed access)
How well does SAML fit today?
• Mature standard, widely adopted• Many moving parts
• metadata ~10s of megabytes• possibly addressed by MDQ protocol?• ...but SAML is widely deployed by organisations
• Developers at ease working with JSON, REST APIs• consume and integrate cloud services• loosely-coupled and ‘version-less’• micro-services vs monolithic
How well does OpenAthens SP fit today?
• Server modules have limited integration options• servlet-filter, Apache module etc.• difficult to test• may not align well with modern architectures
• Limited APIs
Customer feedback
• Not familiar with concepts of federated identity• Installation and configuration steps unclear• Changes take too long to take effect
• or require contact with Service Desk• Locally installed software required
• prefer to use an API• Integrating with multiple applications is complex
• duplication of configuration and registration• End-user experience inconsistent and confusing
Phase 1
Phase 2
SAML connector
Future OpenAthens SP
Identityprovider
Service Provider
Identityprovider
Identityprovider
App1 App2 App3
SAML
OAuth/OpenID ConnectREST
Multiple applications canshare the same connector
SAML connector availableas a service
DashboardOpenAthens
OpenID Connect
• Identity layer on top of OAuth 2.0• Industry-wide adoption• Developer friendly• Wide variety of clients including JavaScript and mobile• Supports range of deployment scenarios
• Dashboard provides• Configuration• Access to logs• Analytics
• Add additional applications without having to register multiple SAML entities
OpenAthens SP Cloud
Federated login: UX issues!
• One of the most common user complaints!• Users presented with too many options
• “OpenAthens login”• “Shibboleth login”• “Institutional login”• “Choose you federation”• Drop-down lists of organisations• Search for organisation• …
• Users often don’t even understand the question!
Current options for discovery
• By-pass completely (WAYFless URL, OA redirector)• Use a federation discovery service
• Does not work across multiple federations• Does user know their federation?
• Build your own using OpenAthens SP API• Build your own using your own data
Federated discovery as a service?
• A more opinionated approach to discovery UX• Consistent but brand-able via dashboard• Will work out-of-the-box• Delivered via:
• Standalone hosted service• Embeddable JavaScript widget
• REST APIs still available to build your own• Independent of a given federation but will support any
Phase 2 due Q1 2017
Questions?