This presentation was provided by Ellen Rotenberg and Rick Stevenson, both of Clarivate Analytics, during the NISO Webinar, Engineering Access Under the Hood, Part One, held on Wednesday, November 1, 2017.

1. A Provider’s Perspective on Identity
and Authentication Management
Ellen Rotenberg, Director Product Management, Platform capabilities and Services
Rick Stevenson, Manager, Tech Operations
NISO Webinar: Engineering Access Under The Hood
November 1 2017

2. 2
Rick Stevenson
Manager, Tech Operations
Ellen Rotenberg
Director, Product Management,
Platform Capabilities and Services
Hello!

3. 3
Core tenants for world-class IAM
Provide the right resources, to the right users, at the right time
Your Identity Identity confirmed
Access granted
Your
entitlements
Authentication
Authorization

4. 4
Core tenants for world-class IAM
Take best practices from the B2C world, and applying to the enterprise
User Analytics Consumer Grade Cross-device access Enterprise safeguards
Graphic Source: Clarivate Analytics

5. 5
Supporting authentication across the innovation lifecycle
IP-based authentication
Single Sign-on
User self-registration
Graphic source: User by Wilson Joseph from the Noun Project
User registration (by admin)
Social login

6. 6
Service Provider - SSO setup process
1. SSO setup request made and required information provided
2. Metadata exchange
3. Load Metadata
4. Install IdP certificates into Service Provider trusted store
5. Federation’s IdP Discovery Service URL setup
6. IdP Assertion Attribute Configuration based on provided information from Federation/IDP
7. Personalized Attribute Configuration
8. Product Entitlement Configuration (the fact of having a right to certain product content or functionality)
9. Generate WAYFLESS urls
10. Test SSO

7. 7
Service Provider - Components and Internal Workflow
CRM system
Content entitlements
IdP entity ID + stipulated
assertion attributes
Functional entitlements
IDP metadata + cert
SAML Inbound
Validation
Entitlement and User
Identification
Personalized user
mapping
Read
User signed in and proper access level granted
Authorization
Mapping

8. 8
Federation Metadata Bug
Service Provider Metadata Bug
Institution (IdP) configuration change request
Institution (IdP) not releasing SAML response
Institution (IdP) SAML 2 upgrade
Institution (IdP) releasing incorrect SAML 2 attribute
Service Provider missing IdP configuration
Record level Wayfless URL request
Institution (IdP) SAML1 binding issue
Enhancement
Institution (IdP) not releasing any SAML attributes
Service Provider Bug
Metadata ACS URL index issue
Institution (IdP) Personalization Attribute Error
Unknown Institution(IdP) side Issue
Federation has outdated SP Metadata
Service Provider Resource Navigation Issue
Adhoc Wayfless URL request
SAML attribute mismatch
Service Provider IdP configuration error
SSO Technical Support Case Breakdown – Over 6 Months
Root Cause # of Cases
2 4 6 8 10 12 14 16 18
60%
40%
Alternate Access
Available?
No Yes

9. 9
Service Provider – Sources of Complexity
Clarivate Academic Products
IP Auth
Roaming
SSO
Graphic source: The Noun Project: Lock by Mike Rowe, Pedestrian by Katya Sotnikova, Library by Kavya.
Navigation Complexity
Identity/Access Models Web of Science InCites Endnote
Free product? No No Yes
Sign-in required? No Yes Yes
IP auth available? Yes No No
IP roaming available Yes No Yes
Email/Password available? Yes Yes Yes
Social login available? No No Yes
SSO available? Yes Yes Yes
SSO id based personalization available? Yes Yes No
SSO email based personalization available? Yes Yes No
SSO personalization required? No No No

10. 10
Ways to minimize complexities
1. Lessen the use of IP authentication in favor of SSO
2. Institutions should (IDPs) always provide a personalization attribute (ID or email) in SAML
3. Service providers should implement smarter access paradigms to allow users progressively disclose identity.
Users are required to Step-up, and assert their identity at the strength
level required by the application they are trying to access.
Example of progressive identity disclosure

11. 11
Key Challenges and Recommended Solutions
Challenges Recommended Solutions
q Communication between business and technology
groups across both Service Providers and Clients
ü Talk early, talk often
q IdP assertion attribute mismatch ü Adopt standards in how assertion attributes are
released by institutions (IdPs).q Personalization attribute issues
q WAYFLESS url requests
ü Adopt standards in how Service Providers should
construct WAYFLESS URLs.
q Outdated Metadata ü Automate the daily refresh of IdP and SP Metadata
q Forcing users to create additional accounts ü Move away from IP authentication, in favor of SSO
ü Service Providers implement smarter access
paradigms
q User confusion when navigating within Service
Provider resources

12. 12
Thank you!
Q&A