Doctor working on mobile device

Federated access management – has it failed the end user?

12 December 2018 • Catherine Micklethwaite, library and information services manager

In July, we hosted a webinar to discuss whether federated access management had failed the end user. We caught up with one of our guest speakers, Catherine Micklethwaite - library and information services manager, Torbay & South Devon NHS Foundation Trust – to find out more.

Many organisations see IP-based access to online content as the most seamless, user-friendly authentication method. But what happens when these users are attempting to access resources off-site?

There are various mechanisms available for enabling users to piggyback onto their organisation’s IP address range. Questions start to arise when a large organisation like the UK’s National Health Service (NHS), an OpenAthens customer, is unable to utilise IP-based access.

And what about universities, where many students and researchers need access off-campus. And increasingly these days, access around the world on distance-learning courses?

The NHS context

The NHS comprises of hundreds of organisations, ranging from individual Trusts and commissioning organisations, to GP surgeries. Thousands more organisations that provide NHS-commissioned services use resources procured at national level. Other resources purchased at regional or local level are predominantly licensed for local Trust use only. The NHS uses a single IP address range for all NHS Trusts. This means that Trusts cannot use IP addresses to authenticate access to locally purchased resources.

Many NHS staff work in the community without a fixed office-based location. Consequently, they will not be able to access the IP network. Additionally, it would be impossible to add all the IP address ranges of the wider organisations that provide NHS-commissioned services.

This year marks the 70th anniversary of the NHS. Seamless and easy online access to digital content is more essential than ever as it plans for the future.

Is federated access management the solution to accessing digital content remotely?

One answer is that federated single sign-on from providers, such as OpenAthens, provides remote access for many sectors. Federated single sign-on is designed to answer the WAYF question – where are you from? If the answer is from an authenticated source, users get access to a resource. Simple.

But are these products the panacea or do they come with their own problems and limitations? Are they failing the end user?

What are the challenges with federated access?

Federated single sign-on can start to fall down when we consider the user journey. There is huge variation in authentication routes and terminology used by different publishing websites.

For instance, on one website a user may need to find the option to authenticate via “OpenAthens access”. And on another, via “Federated Access Management access”. This can lead the user scrolling through a long list of organisation names to find their own.

Others may need to define their country first. If the user is an international distance-learning student, do they pick their own country or the host nation? They then select their organisation. If the student belongs to an alliance of organisations like the University of London, which college do they choose?

It all starts to get a little convoluted. And this process is often replicated on each publisher’s website. There must be a means of bridging identifiers.

Search via the NHS portal

Within the NHS, users are encouraged to access resources via a national portal, where a more seamless approach is available. Links take users directly to the correct sign-in page. They enter username/password only once per session and get immediate access to various sites. This is if they go back to the national portal each time.

But if a user opts to use third party search tools, such as Google Scholar or PubMed, this portal idea falls down. This is because these tools link directly to publisher websites without any WAYF links.

Other types of access

Another issue is that not all publishers offer federated single sign-on. Most of the large publishers do, but many smaller publishers struggle to do this without the capacity or knowledge.

A downside of this unwieldy user journey is that human nature will seek the easiest route to obtain information. And this may happen to be via websites offering illegal access in a simpler and more streamlined fashion.

The challenge for publishers is to continue providing the advantages of federated single sign-on. Benefits include trust, protection of user privacy and control – with the seamlessness of IP-based access.

How is this challenge being addressed?

RA21 initiative

Resource Access for the 21st Century (RA21) is a joint STM and NISO initiative which waims to make federated identity simpler and more standardised for the user. The RA21 pilots have just completed. RA21 are now looking at the specific needs of healthcare professionals through their new hospital/ clinical working group.

RA21 is a voluntary code that will allow providers to remember where users are from whilst still preserving user privacy. Importantly it will negate the need for users to enter passwords multiple times.

In theory, RA21 could improve access and result in a much-improved user flow through standardised user journeys and terminology.

However, as a voluntary system, it may prove difficult to ensure all publishers sign-up, particularly the smaller ones. RA21 is trying to help these smaller publishers get on-board by making the design patterns and code open source.

OpenAthens Redirector

OpenAthens has also helped to address two of these major barriers to access through their Redirector and Wayfinder products.

The Redirector service provides one-step access to subscription and other paid-for content. It does this by requesting credentials when users are off-network and directly serving the content when in IP range.

Wayfinder is a free organisational discovery tool that makes it easier for users to find their home organization to log-in. It does this through geo-location or typing their home organization or email into the search bar.

In summary…

We must find a solution to the problems associated with federated single sign-on and user journey to enable seamless on and off-site access to resources for a wide variety of NHS organisations.

The ultimate user journey would be for users to enter their username/password just once. Each subsequent website can then verify and give access to those WAYF details. That device or account then remembers the entry point for future access.

This will require a much larger cohort of publishers to adopt standards-based federated single sign-on technology and RA21 recommended user journeys to online content.

Login authentication fail code