As a global academic publisher, IOP Publishing needs seamless ways to offer its content digitally to academic subscribers around the world.
To achieve this, it has agreements with eight identity federations, enabling global users to authenticate via their home organization rather than with the publisher. But despite the attractions of federated access, offering content via identity federations can be a complex technical challenge.
Until recently, IOP Publishing was using an ageing and unstable Shibboleth system. And as software engineering manager John Leopold explains, it required specialist external support to maintain.
“We were running an old version of Shibboleth software. The wrapper code was written 13–15 years ago and the people who’d written it had left. The server it was running on used an old, end-of-life OS that we couldn’t patch. It was a horrible system – and we needed to do something about it.”
The ‘default option’, says John, would have been to build another system based on Shibboleth – but that, he says, would have been complex and time-consuming.
So he says it was a ‘no-brainer’ to choose an alternative: a cloud-based SaaS system, OpenAthens Keystone.
With the help of consultancy from OpenAthens, IOP Publishing migrated to the Keystone SaaS system. IOP Publishing then integrated Keystone with their IOPscience website using a serverless architecture hosted on the Amazon Web Services cloud.
Despite the need to co-ordinate this technically advanced migration with eight separate identity federations, it completed successfully at the first attempt, in less than two hours.
Benefits and results
After the success of the migration, the main benefits of using the new Keystone system are ease of use and ease of maintenance, John explains.
“In the past, if we had to add a new identity federation, it has taken months of effort – and we’ve had to have a consultant in for about two months, which comes with a cost. Now, it’s mainly a configuration process, and the job is done. In fact, we went live with OpenAthens in less time than it would have taken to add a new federation under the old system"
“Wayfinder means that users have a more pleasant experience. At the same time, we get better visibility over how people are interacting with and logging into the service, without compromising their identity or privacy"”
The process of moving to OpenAthens was, John says, a smooth one – and made easier by using OpenAthens consultancy. “We expected it to be complex, and that was a benefit of using the consultancy,” he says.
In terms of co-ordinating identity federations, IOP Publishing gave a month’s notice of the migration. In retrospect, John says, he would have started the communication process earlier, but it turned out well. “Getting it all to synchronize was a challenge, but we got there without much pain,” he says.
Keystone’s relative ease of use is already promising practical business benefits in future, says John.
“An existing customer wants to access our federated system using the SAML protocol. OpenAthens Keystone supports SAML, so this will be a configuration exercise. But with our previous software it would have been impossible to do. So Keystone is enabling IOP Publishing to be flexible and meet the business needs of its customers"
In addition, as the RA21 resource access standard is codified and adopted, John believes that Keystone will help in that process. “My hope is that OpenAthens federated access management solution will enable us to comply with RA21 without engineering work,” he says.