 Thank you for watching our presentation on the impact of federated authentication on user experience privacy and learning analytics I'm Margaret Heller and I'm joined by Hong Ma. We're from Loyola University, Chicago Today, we're going to give an overview of the user experience that has traditionally been offered for Access to licensed resources and how that has always affected privacy and learning analytics We're also going to give some information on how newer technologies and federated authentication have you are impacting that What's happening right now and what we want the library community to be doing in the future? So these are some older but still in existence user experiences for remote access to licensed content Back starting in the early 70s. There were things like mediated access to online search services that that expert searcher librarians Performed those searches now. That is of course my far less common to have that kind of mediated access It still does happen in some way if you think about for example someone calls up the reference desk and asks to have a PDF email to them there's also access via an Individual username and password or username and password that's used and on an institutional level that is also still in use But it's very very challenging to use in an institutional context Um IP based range-based authentication is still a critical piece of our infrastructure for for offering access to Licensed content. This allows anyone on campus to have access without really doing anything else However, it does not work so well when people are not on campus And so that brought us things like easy proxy, which was first created in 1999 and bought by OCLC in 2008 well, this allows you to give your vendors the easy proxy IP address and then send all your traffic through that proxy server Which creates a single sign-on experience across all databases even from off campus And it can of course work with a number of authentication technologies to create SSO with other systems as well So all of these different systems have more direct or indirect impact on privacy and the big data aspects that make them attractive for learning analytics Obviously when it's just one individual providing access through mediated searches, that's not going to be Big data, but once you start getting into things like IP address and certainly proxy servers and you are channeling Traffic in different ways you can start to create more and more data sets that can be used in different ways and have implications for privacy So before we get into talking about newer technologies and federated authentication I want to Point out that there's three distinct stages of access and it's important to keep this in mind as we're having these discussions I also want to point out that we're talking about federated authentication Authenticating across across services, but we also referring to federated identification connecting across domains as well so identification is the Specific entity like an individual and information about that individual authentication is So how that person or entity Proves that they really are who they say they are and then authorization is what they're allowed to do once they're authenticated So that's easy to do on an individual Institutional context this can be fairly easy once you're trying to connect across systems and or credit some kind of federated Federated authentication. That's where you need new technology to come into place So here's some some kind of an overview of some different technologies that make federated authentication possible so CMO Was first created as a standard in 2003 its current version 2.0 was created in 2005 and this helps exchange Authentication and authorization information across domains and platform for a single sign-on experience Oof 2.0 is another protocol used for exchanging authorization information and it often uses the open ID connect standard for providing authentication Though it doesn't have to and applications or user experiences may combine these methods in various ways Often in ways that are completely invisible to the user For that reason It's it's important to really point out that what is available to for libraries to use and how the different technologies Interact really depends on local decisions that have been made at your institution Libraries can really never make their own decisions independent of their institutions And so if you are working a library, you need to be part of those conversations You need to be finding out who is making those decisions and be part of that Understand what is available to you? I also want to mention Some some important considerations When you're using any kind of federated authentication technology when it comes to attributes and privacy So attributes are information about an entity like an individual user that can be passed across systems So this can be information like individual usernames or email addresses that is very obviously Tied to a specific individual so you really have to watch out for what information is being released and how it's being used so that you're not accidentally releasing Very individual information to across systems that can be used in different ways without your knowledge The other thing is it might seem tempting to use attributes for learning analytics So if you can get very granular pieces of information about a person you could for example find out what database everyone in a certain class is using But really you need to keep your analytics at a much higher level than this So you you really are not wanting to get down to that granular a level when you're doing when you're passing attributes Unless you absolutely need to for some reason if you're running some sort of study for learning analytics You really that involves any kind of individually identifying information with library systems You need to do so very thoughtful and you need to do a so under IRB supervision And there's initiatives like CAR, which is a consent Consent to release attributes the from internet to that are trying to make this more obvious to users So we might know what is being released about users, but they may have no idea and so this kind of this is A way that you can potentially show users what you're releasing about them and make sure that they're consenting to it I also want to mention another thing that comes up a lot in this discussion Is that a lot of times you can be authorized to use a database? But then if you want to Personalize your experience there are either required or optional personal accounts So some databases do not allow you to use them unless you actually do create a personal account And that can also be done using SAML and having single sign-on So when you are trying to set this up You should be able to send data Using your SAML connection that should allow those accounts to be provisioned Using the same account that provides authorization to access the platform. So tying those two together and ideally using using some sort of Connection that is obvious to the user, but not But maybe not doesn't hurt their privacy, but you have to be thinking about that. So you have you have to Be aware of what attributes your system releases and how those connect across platforms What happens if you accidentally create multiple accounts? How easy is it to merge those accounts? I accidentally created two patreon accounts myself one with two open ID connect services one Facebook and one Google and I have two patron accounts and cannot get them re-merged Take together So when you are communicating with users, you need to be clear on how such accounts affect their privacy I'm not going to talk turn it over to Han who will be talking about the current Issues in federated authentication Thanks Margaret Margaret provide a pretty good overview about the authentication and the In general remote access scenario user experience for our licensed content So I bet you heard about the resource access for 21st century project and also Kind of a seamless access. So the project that both both initiative is Impactive impetus impetus for them is 3d try to improve the remote access scenario Multi-dimension about the IP or authentication user name password for a decade Why is a child to access the resources? but as we are moving to the digital age more scenario is like the users really come To access the research those resources as soon as the multiple devices no longer just a computer The traditional IP based the authentication really we force our researcher and the user come to the library website or Circle back to find the proxy prefix the URL to try to access but now Really kind of a goal is Amy for delivery at the point of discovery no matter where they come from from Google resource itself They should be able to gain the access right away The second the motivation for the project is improve the usability of access workflows as Again, not really mention those user name password scenarios It often require user numerous of clicks or enter their credentials multiple times to try to access to the resources So streamline that process is really important for user experience As she also indicated there is a potential in addition to authorize to the resources self It can person I personize user services and also potentially enhance the user privacy So here is a little overview about both project and the services So as I mentioned the RA 21 was initiated in 2016 the to aim explore the challenge of remote remote access We well-facing and also involved the stakeholders from multiple layer including publishing library software and the broader identity community The project and the fund if I did that federal federated Authentication is the most promising solution for providing a robust the scalable solution for remote access to scholarly content The project also Investigated the barriers to take up develop the best of practice and the piloted the technical approach to simplify the remote access Then in 2019 similar access as the operational successor of the RA 21 project was created as a community driven unfold Where is the funding for for major funding organizations listed here they deliver Operational services plus best practices and the standards for facilitating the remote access to resources It include the the services include the full-time Implementation team. It also has a few covenants and advisory Committees again, including multiple stakeholders and the outer reaching committee committee So the same is access and also foundations are a 21 project really provide a good Chunk of a solution for for the access So first one is where are you from is the essential part of a federated identity management workflow as Margaret mentioned at the beginning But at the same time so that will kind of offer you so no matter which device Well, they come from they will have an opportunity to pick up their Institution from the wave manual to to pursue the access to anywhere at the same time We fleece URLs can also be generated similar like we have that we had for decades the Proxy the prefix the URL for user to bypass in the way funny with money directly on Get to the login page to get access to the resources. So most use the the library website So as as mentioned before the seamless access in for streamlining online access and experience It is it has a standard require an institutional affiliate affiliation. We are access button Same seamless access also have a service called identified provide provider Discovery services provides a standard that massive to look up your institution And also another service is called persistent services Could store your institutional choices on your computer once you choose once you in your local browser storage You no longer need every time still go go through the wave manual or just choose your institution it offers I Believe is three level for integration options for services provider to integrate the there's the Authentication way with the seamless access. So at least a few library resort library vendor examples there but at the same time Still generate or facing challenges. So the challenging one as we all know is user experience for the institutional authentication piece One one issue is user may even not know understand the terminology of institutional authentication To his institutional login can be hard to find in the different life different resources Also, third one is inconsistent the experience across different sites Challenge to is some of you might already encountered When you come come to this with manual you saw the duplicated Institutional entry with the same display name shows that the reason is you your institution may have a multiple and entity and identity provider Regist with the same display name or for different the Federation So in our case, we had over ascent is one Federation. We also used to be you in common Member Federation member. So that's a pretty common challenge for a lot of the institution challenges three It's because of our service provider if even you layer down to the library services provider They could be inconsistent practice of happening in their side So libraries would have to navigate through those differences and the new answers in multiple layers So with all the current We give you a quick summary about the Federal or syndication and the well where we are how that kind of impact the library world We come to this this like as a conclusion is what the library community needs to do I We just lay out of them in the following category from logic aspect We fell we all need have a basic level of understanding about what what is a service provider? What is an identity provider and what is a fed Federation? as Margaret mentioned in previous slides attributes and why is those attributes are important to privacy and also another thing keep in mind is Attribute release is optional. So it's totally under control of identity provider It's not like a service provider can force you to release or just you have to put it there So again with this knowledge will help you understand have a better control when come to your institution institutional configuration So for your locally you needed to know the services you institution use the for identity management Also, you needed to know which Federation's new institution belongs to or multiple Federation You could be the case also know your option for ossification configuration Understand what what is exactly happening to a user come to when come to the U.S. ossification and authorization We also want to use this opportunity to add a wicked nation Nationally we all as library. We need to stay updated with news and the new future of federal Federated identity management. We need to develop a collective understanding about the federal Authentication and its in implications for libraries We really need to collectively build a community awareness about those impact and also the current challenges facing us and The last and also most is joining the same miss access community for library Voices as I mentioned at the beginning There are a lot of different committees and working groups involving multiple stakeholders from same miss access services, but however, we have a very few library Participants there. I just want to quickly share my personal experience. I Last year while we are in the middle part of an open essence implementation process where I really fully Experienced a lot of the challenges. So I saw a call for participation about the same miss we We Unbuilt gay and begin this ambiguous nation Working group call for participation. That's caught my eye right away So with like a more than six months and Participate in that group. I really feel like I learned so much about the much broader Issues from the not just the library white those the what what's happening for federal authentication what what's other Stakeholders how been doing and implementing at the same time I also feel like my contribution to that group is I was able to contribute to the library can say and a lot of more on more Experience or contact contact knowledge from library point of view. So we really hoping this is kind of a if you are listening our session you will kind of get on board about Get yourself familiar with this entire Involving Areas and be able to join build start build help us build a community and make the community stronger and Eventually not get left over for the for the future moving forward peace Thank you so much for for coming to our Presentation we also put a list of resources here. So fell free just diving to those two For for your further interest. Thank you