Talkin ’bout my federation
This blog series is the first in a series we’ve designed for the benefit of our publisher customers. Our goal is to remove some of the mystique around authentication, provide useful industry insights and ultimately, ensure you’re getting the most out of our products and services. We’re starting the series off with the one of the most important – but widely misunderstood topics – Federations.
Hold on… first we need to talk about SAML
Security Assertion Markup Language (SAML) underpins everything OpenAthens does, so it’s important to have some understanding of what it is and why we use it to build all our products. It’s worth noting early on that SAML is widely used for authentication. If you’ve ever used online banking, there’s a good chance you were logging on through SAML. When we talk about SAML, we’re really talking about single sign-on (SSO) – accessing online content with a single username and password.
With OpenAthens, and more broadly SAML, there are two key players to consider and it’s useful to understand their roles in making SSO work.
The first is the service provider (SP), for example a publisher, database or e-book. They sell content to organisations and need to provide secure access to the content they provide.
The second is the identity provider (IdP), for example a university, hospital or public library. They have users who need to access journals, databases and such content from service providers.
When a user logs in to access Journal A, the IdP completes the authentication – “we confirm this user is a student in the biology department at the University of Coventry”. The SP then completes the Authorisation – “We confirm that our users can access Journal A, but not journal B”.
This transaction of information when a user logs in makes SAML perfectly suited to providing secure access to your content – you know who is accessing your platform and how often.
*So, what’s Shibboleth? – Shibboleth and OpenAthens essentially do the same thing, except Shibboleth is open-source and OpenAthens is a fully managed service. SAML, OpenAthens and Shibboleth are often used interchangeably – the important thing to remember is they all work together!*
- SSO – users can use their work/school email to login to multiple third-party sites.
- Highly secure – users are authenticated by their organisation and information passed between them and your site is encrypted.
- It’s a standard – SAML is widely used and interoperable. It is the industry standard for single sign-on - if you use Microsoft at work, you’re using SAML!
- Flexible – Unlike IP-based authentication, information such as organisation, job role and faculty can be passed to a publisher when a user logs in.
- IP Free! – SAML does not use IP addresses for authentication, meaning users can access content wherever they are, on any device.
A simple Google search will tell you everything you need to know about Federations, by that I mean they appear highly technical and difficult to describe without resorting to tech-speak. However, it’s important to be aware of some incredibly useful functionality behind all that jargon.
Joining a Federation
Whether you are using Shibboleth or Keystone, as a customer you will already be in the OpenAthens Federation – every library, university, app or publisher using our products will be. We talk about customers being members because a Federation really is like a club, a club where OpenAthens can ensure everyone is adhering to the SAML standard, thus you can be assured that any login via our Federation is as it should be.
Federations build on top of the technology already discussed, so in addition to those key takeaways outlined earlier, there are a few more important benefits to consider, the first of which – Scalability.
Just one integration
Publishers will license content to dozens, if not hundreds of organisations and providing access to large numbers of customers is a challenge. It’s true that IP authentication can provide an easy solution, but other than the obvious security and remote-access concerns, access can be broken if changes are made on either side – not to mention dynamic IP addresses that raise an entirely new challenge.
Federations provide a robust and secure alternative to this approach. Once a publisher has integrated with SAML they can ‘join’ a Federation, like OpenAthens, and make their content available to every organisation in that Federation.
So long as the publisher and their customer are in the same Federation, access can be granted easily via email, no technical integration is required. This means you can provide secure SSO to multiple customers with a single solution, such as OpenAthens Keystone – our SAML service for publishers.
The tricky bit…
Over 60 countries have built their own Federations which have generally been built for use by academic and research institutions in each respective country – this makes sense since they tend to have shared vision and subscribe to the same content.
However, these Federations are mostly publicly funded which partly explains why there isn’t just one giant Federation (I’ll come back to this later) and why non-academic organisations are less represented*. The good news is all Federations use the SAML standard, so if you have an international customer base, chances are you can provide SSO to even more of your customers!
*OpenAthens is unique in that we have customers from all sectors and countries.
Then there’s eduGAIN
eduGAIN builds more so on the scalability and standardisation provided by the Federations mentioned. eduGAIN links most of the worlds Federations into one Mega-Federation. By joining one of the participating Federations (e.g. UK Federation) you can make your content accessible to organisations in all other participating Federations. This means you no longer need to integrate with Federations individually (although you will have to complete a registration form for each Federation) – this is where adopting a standard approach (SAML) comes into its own!
Finally, one huge benefit to using a Federation is for the provision of seamless SSO. By that we mean a user logs in once and isn’t required to login to another site during their session. Seamless SSO is far easier to facilitate through a Federation, this is because the publisher inevitably adopts a standard approach to accessing content, creating a much better user experience
- Stability – Federations are robust services that maintain connections between you and your customers, so you don’t have to.
- Scalability – Federations use SAML – implement SAML once and it won’t require individual integrations with your customers.
- Global standard– with Keystone you can enable access to our Federation and any other Federation, increasing your content’s availability via SSO.
- User experience – standardised and universal login experience for users.
- Security – Federations are built on trust!
Are you interested in publisher consultancy services?
With over 25 years experience, we’re leading experts in federated single sign-on services worldwide. We understand the challenges publishers face in delivering access to data and information to those who need it. Leave all the tricky technical work to us!