Working with 1:1 SAML connections
In October 2021, we presented the third instalment of our publisher webinar series called ‘Talkin ‘bout my federation’. We took a deep dive into the usage of 1:1 connections. If you haven’t watched the webinar yet, fear not – here’s a review!
What are 1:1 SAML connections?
Also referred to as bilateral or peer-to-peer connections, 1:1 SAML connections are flexible ways of connecting and sharing information between SAML-enabled systems. The benefit of this access method is that it can be used to connect Identity Providers (IdP) and Service Providers (SP) without the membership of any identity federation such as InCommon, UK Access Management Federation or Openathens.
1:1 connections are commonly used by customers that are logging into an internal service that has Shibboleth SP setup or by publishers that support SAML but have not joined a federation. IdP software can connect to multiple providers, whether in a federation or through 1:1 connections.
What are the disadvantages of using 1:1 SAML connections?
There are some reasons why you might not want to use a 1:1 connection. These connections can be more complex to set up and require technical knowledge and ongoing maintenance that not all library teams have. This in turn, means greater administrative and overhead costs. There is also the risk of disruptions in service due to metadata or certificate changes. The setup and maintenance are dependent on the IdP and SP co-operating with each other to configure the service, and there is no 3rd party assistance from the federation operator.
The publisher perspective
Publishers have additional considerations. For example, service providers must maintain each individual connection.
“One publisher might have around 400 customers. To setup each of those customers as a 1:1 connection, you could be looking at 20 to 30 service tickets per day for up to four weeks.”
Federated access vs 1:1 SAML connections
Our webinar offers a helpful comparison between 1:1 connections and federated access.
“Using multiple 1:1 connections can feel like a spider web. With the OpenAthens Federation, service providers and identity providers only need to maintain a single connection to be part of a trusted network of entities,”
With 1:1 connections, the maintenance of the IdPs connection to the service is being managed with an individual person at each separate institution which is often not scalable.
Establishing a connection via an identity federation means you only need to manage your connection to the federation, liaising with the federation operator only. This also provides access to a team of support specialists for customers and publishers alike.
Why join the OpenAthens Federation?
Most other identity federation are location and sector specific, meaning some IdPs are not eligible for membership. Our primary goal is providing single sign-on services and removing barriers to access. Our identity federation allows participation from any country or sector.
Joining our federation potentially connects to you customers that you would otherwise need to establish 1:1 connections with. Find out who is already part of our federation, check out our federation member list.
We are advocates of federated access with over 25 years of experiencing liaising with SPs on behalf of thousands of organizations around the world. We understand the needs and expectations that they have. With this knowledge and experience, we provide advice and guidance to help you implement various functions including:
- Attribute usage
- Advice on the login experience for your users
Wrapping up the webinar, Lionel commented:
“We have about fifty highly trained IT professionals who make sure that the OpenAthens Federation is running smoothly at all times. The technical support team operates between 07:00 and 22:00 so that we can offer assistance to clients in international time zones. OpenAthens is truly an international federation with a client base across multiple sectors."
SPs using an existing SAML supported platform are able to join our federation with no need to install additional software.