Step 2: platform upgrade
The assessment done in step one will inform the amount of change your team will need to implement before you could proceed further.
What kind of upgrades might you expect?
Install OpenID Connect on your platform
OpenID Connect allows publishers and service providers to verify the identity of the user based on the authentication performed by an authorization server. It also allows you to obtain basic profile information about the end-user in an interoperable and REST-like manner.
Make sure your subscriptions management system can handle attributes
Your subscriptions management system will need to be enhanced to handle the institutional identifiers (attributes) passed by OpenAthens for authorisation in addition to the existing ways of authorising users.
Implement WAYFless and deeplinking
In identity federations, the publisher or service provider platform needs to know where to send the end-user for authentication. This is called discovery. There are two ways to achieve it and doing both is recommended.
Attributes, personalization and privacy
In essence, attributes are data points exchanged between your platform and the institution during authorization.
Standard attributes allow you to differentiate between individual users by maintaining their privacy at the same time. Extended attributes like name or email are often used to provide personalization features. But you need to make sure your privacy policy and agreement with your customer allows you to process personal data about the users.
More on standard and extended attributes
Standard attributes
One of the major advantages of an identity federation is that a standard set of attribute names can be defined. This means that in most cases, both identity providers and service providers can use generic set-ups and do not need to maintain hundreds of separate configurations.
Extended attributes
Whilst you can make use of these attributes, you should neither expect nor require them. This is because local data protection laws, policies, user objections, or other restraints may prevent an identity provider from releasing these to you. Consequently, you must not use them for authorization.