This document summarizes Emily Singley's presentation on building privacy infrastructure for academic library resource access. It discusses how IP authentication fails to protect user privacy when accessing licensed resources off-campus. Federated access using SAML authentication addresses these issues by allowing users to directly access resources through their institution's identity provider without revealing personal IP addresses. The document outlines Boston College Library's implementation of the OpenAthens federated access solution to preserve user privacy while granting access to library resources. Collaboration between libraries, IT departments, and resource providers is needed to continue improving federated access infrastructure and user experience.
2. What I’m going to cover
● Privacy as it relates to licensed resource access
● Why IP authentication fails
● Preserving privacy with federated access
● What we are doing at Boston College
3. The old model - IP authentication
● Authorization based on IP address
● “Proxied links” needed for off-network
access
● Users can only navigate directly to
resources if they are on-network
See: “De-mystifying e-resource access: what
every librarian should know”
4. How IP
authentication
protects privacy
● Only the user’s IP address is
seen by the resource
provider
● When off-network, only the
IP address of the proxy
server is seen
5. What’s wrong with this model?
off-campus user navigates directly
to resource, e.g. nature.com
IP is not recognized; user hits paywall
● Researchers want to go straight to resources, not use special library links
● Mobile devices can be “on-campus” but “off-network” - confusing!
● As users roam across the web, it is hard to understand which resources
require special library links
6. The evidence is mounting
● Accessing publisher resources via a mobile device: A user’s
journey
● Dismantling the Stumbling Blocks that Impede Researcher
Access to E-Resources
● Failure to Deliver: Reaching Users in an Increasingly Mobile
World
● Rethinking authentication
7. Our students normally bypass library links
● The majority of our usage comes
directly from individual
on-campus IPs, not through
EZProxy
8. What happens when a pandemic sends all your
students home?
● Saw usage decline during the time
students were off-campus
● Could it be our users don’t
understand how to use library
links?
9. They don’t start at the library - they start everywhere
Moore, M., & Singley, E. (2019).
Understanding the Information Behaviors
of Doctoral Students: An Exploratory Study.
Portal: Libraries and the Academy, 19(2),
279-293.
● Following the scholarly
conversation
● Getting content through social
media, referrals from colleagues,
following citation trails
● Library not seen as starting point
10. They use SciHub
Moore, M., & Singley, E. (2019).
Understanding the Information Behaviors
of Doctoral Students: An Exploratory Study.
Portal: Libraries and the Academy, 19(2),
279-293.
"””I see it on Google, get the link and copy and paste into SciHub
and there's the article - that's it."
"so far there is nothing that I couldn't find there [on SciHub]"
Interviewer: “What can the library do better?”
Student: “Just do what SciHub does.”
12. Federated access infrastructure
● The institution’s identity provider (IdP)
supports the SAML protocol
● The institution is also a member of an identity
federation, which serves as a trusted clearing
house for connections between the IdP and
service providers.
● At Boston College, our SAML implementation is
Shibboleth, and we are members of the
InCommon federation
13. Why federated access
● Saw usage go up for federated provider
● Saw sharp increase in federated use
14. SeamlessAccess.org
• NISO-supported initiative to improve UX for federated access
• The same “Access through your institution” button appears across participating
publisher sites
• Users stay logged in across platforms during their browser session
15. Preserving privacy with federated access
• Designed to support privacy; option to use only anonymous IDs
• IdP is entirely in control of attribute release
• Authorization takes place through IdP, not the service provider
• Risk: it is possible to release personal information
https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png
16. IT and library collaboration needed
• Libraries can no longer “go it alone”
• IdP (usually IT) manages attribute release
• Strong library / IT partnerships are essential
• Recent SeamlessAccess.org survey found
that IT/library collaborations have room for
improvement
https://seamlessaccess.org/posts/2020-06-23-surveyresults/
17. How we’re implementing federated access
at Boston College
• Had to support 600 resource providers - both federated and IP authentication - in
one place
• Only 200 providers support federated access
• Want to (eventually) be able to shut down EZProxy
• Went with a hosted solution - OpenAthens, distributed and supported by EBSCO
• LibLynx is also a viable option
18. Minimizing the burden on IT
• IT did not need to set up individual SAML connections; instead, only connected to
OpenAthens
• Library staff can manage connections to resources - both IP and federated -within
OpenAthens admin dashboard
19. Leveraging the federation
• Our solution had to work with our existing infrastructure - Shibboleth and
InCommon
• We connect to OpenAthens federation using Shibboleth
• Service Providers who are OpenAthens members can connect to Boston College
through the federation
• See EBSCO’s implementation documentation
• Some individual Shibboleth connections needed for a handful of providers
20. Preserving privacy at Boston College
• Only minimum number of attributes released
• EduTargetedId - anonymous ID, designed to protect user privacy
• Needed an additional attribute to identify separate campuses
• Strong security review processes in place
https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j
pg
21. Leveraging entity categories
• Entity categories can help libraries
communicate what we mean by
anonymous access
• Three new entity categories proposed:
○ Authentication Only
○ Anonymous Authorization
○ Pseudonymous Authorization
• SeamlessAccess Entity Categories
Working group
• Recent NISO webinar
22. Where do we go from here?
• Boston College has now implemented federated access for about a
third of our providers
• Includes all major publishers and aggregators
• Going forward: preferring providers support federated access
• Encouraging providers who are still only IP-authenticated to
implement federated
23. We can’t do it alone
● We all need to work together - libraries, IT, and resource providers
● Libraries have an important role to play as privacy advocates
● We have a long ways to go, and there is still a lot of work to do
Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]