Working with 1:1 SAML connections

In October 2021, we presented the third instalment of our publisher webinar series called ‘Talkin ‘bout my federation’. We took a deep dive into the usage of 1:1 connections. If you haven’t watched the webinar yet, fear not – here’s a review!

What are 1:1 SAML connections?

Also referred to as bilateral or peer-to-peer connections, 1:1 SAML connections are flexible ways of connecting and sharing information between SAML-enabled systems. The benefit of this access method is that it can be used to connect Identity Providers (IdP) and Service Providers (SP) without the membership of any identity federation such as InCommon, UK Access Management Federation or Openathens.

1:1 connections are commonly used by customers that are logging into an internal service that has Shibboleth SP setup or by publishers that support SAML but have not joined a federation. IdP software can connect to multiple providers, whether in a federation or through 1:1 connections.

What are the disadvantages of using 1:1 SAML connections?

There are some reasons why you might not want to use a 1:1 connection. These connections can be more complex to set up and require technical knowledge and ongoing maintenance that not all library teams have. This in turn, means greater administrative and overhead costs. There is also the risk of disruptions in service due to metadata or certificate changes. The setup and maintenance are dependent on the IdP and SP co-operating with each other to configure the service, and there is no 3rd party assistance from the federation operator.

The publisher perspective

Publishers have additional considerations. For example, service providers must maintain each individual connection.

Sam commented:

Federated access vs 1:1 SAML connections

Our webinar offers a helpful comparison between 1:1 connections and federated access.

added Sam.

With 1:1 connections, the maintenance of the IdPs connection to the service is being managed with an individual person at each separate institution which is often not scalable.
Establishing a connection via an identity federation means you only need to manage your connection to the federation, liaising with the federation operator only. This also provides access to a team of support specialists for customers and publishers alike.

Why join the OpenAthens Federation?

Most other identity federation are location and sector specific, meaning some IdPs are not eligible for membership. Our primary goal is providing single sign-on services and removing barriers to access. Our identity federation allows participation from any country or sector.
Joining our federation potentially connects to you customers that you would otherwise need to establish 1:1 connections with. Find out who is already part of our federation, check out our federation member list.

We are advocates of federated access with over 25 years of experiencing liaising with SPs on behalf of thousands of organizations around the world. We understand the needs and expectations that they have. With this knowledge and experience, we provide advice and guidance to help you implement various functions including:

• Authorization
• Deep-linking
• Attribute usage
• Advice on the login experience for your users

Wrapping up the webinar, Lionel commented:

SPs using an existing SAML supported platform are able to join our federation with no need to install additional software.