Engagement in Resolving the Community's Concerns
Use Case Descriptions for Libraries to Come
The Seamless Access project (seamlessaccess.org) continues to work not only to provide the Seamless Access service that smooths the user experience of federated authentication, but also to try and help in areas of the Federated Authentication space where there are gaps that the group is well suited to fill.
One such gap was identified early on in the need for a technical standard for which attributes should be shared between the organization and the service provider or publisher. For the typical library use case, where the goal is to have no personal information shared at all, there were no existing standards that described which attributes should be used to maintain the desired level of privacy. Seamless Access convened a working group to create new federated authentication entity categories that described two default methods of authentication and which attributes should be used in each.
The first of these is the Anonymous Entity Category, where the only information shared between the organization’s identity system and the service provider or publisher is an anonymous attribute that says “whoever this is that’s asking, they can have access to the thing they are asking for.” The second was a variation on this, a Pseudonymous Entity Category that passes no personal identification, but uses a reusable token to allow for personalization of the interface. Imagine a situation where a resource might want to be able to suggest articles similar to one that was previously downloaded, or to surface new options based on earlier choices. In this case, the system needs to know that the researcher is the same person as before, even as they are prevented from knowing who specifically the researcher is.
This work is technically necessary for many library use cases, but doing this work illuminated another issue in the ecosystem. Libraries sign contracts with vendors and publishers that outline authentication and privacy expectations, and none of these contracts speak specifically to these new privacy preserving entity categories, or in most cases to federated authentication at all. Thus another working group convened to try and work through this issue, the Contract Language working group.
The goal of the Contract Language working group is to put together a toolkit that libraries can use to make sure that as publishers begin to offer federated authentication as an option for access to their resources, libraries will have a toolkit that can help them sort through the specific way they expect that resource to be used and choose language that is appropriate to the level of attribute release they wish to happen. The library will have to work locally with their IT department or whomever is in charge of their local authentication system to ensure that the local details are being handled appropriately, but this toolkit will hopefully ease both negotiation and privacy expectations between the library and the publishers.
The goal is to have the beta version of the toolkit available early in the Fall, but the first piece of the toolkit, the Use Case Descriptions for Libraries, will be available in the next few weeks. It’s currently under final internal review, and we hope to be able to share it very soon as an indication of the direction we’re hoping is most useful for libraries and publishers. The remainder of the toolkit will be built upon these use cases, and we hope that libraries everywhere find them useful and reflective of real world needs.
More information will be coming very soon. Keep an eye on the Seamless Access Blog if you’d like to be notified as soon as it is made public.