Collaborating on Federated Authentication
Technology and Licensing Concerns
Early in the development of the Seamless Access project, its organizers saw that it was in a unique position in the world of federated authentication. Being composed of many different stakeholders in the authentication process (libraries, publishers, federation operators), the group had opportunities to work towards improving other aspects of the authentication process beyond the service that Seamless Access provides. The first place where it was apparent that work needed to be done was in the technical specifications that outline what information is shared between an identity provider (IdP, such as a university IT department) and a service provider (SP, such as a publisher or resource provider).
In the pre–Seamless Access world of federated authentication, there were no suitable technical specifications (known as entity categories) available for use. IdPs and SPs could agree on any number of different information-sharing details one by one, but if they wanted to use a pre-existing entity category as a way to shortcut negotiations and be able to scale agreements, there wasn’t anything they could use. Seamless Access began an Entity Category Working Group, which examined what sort of information could and should be shared between libraries/universities and publishers in order to allow access to resources; that working group created two new technical specifications for these use cases.
These two new entity categories, Anonymous and Pseudonymous, give libraries and service providers the technical specifications needed to manage attribute sharing and protect user privacy. Approved earlier this year by REFEDS, they provide technical guidance that allows for both sides of the authentication process to know what to expect and what to request, and that limits the scope of information sharing. The two categories also provide options and opportunities for different user experiences depending on the resource being used, in a privacy-protecting way.
But in the world of libraries and service providers, technical specifications aren’t always enough. There are also service contracts that are negotiated and signed that outline the limits of data collection, how user data is to be treated, and more. When members of Seamless Access began examining the landscape of these contracts, it quickly became clear that federated authentication is new enough in many library workflows that contract language hadn’t yet caught up. Contracts that were examined had language relating to network-based or IP/proxy authentication, but nothing regarding how attributes in a federated authentication workflow should be treated.
And so, another working group was born, the Contract Language Working Group. From that group’s charter:
The purpose of this working group is to define and promote language that may be used in contracts that include provisions for Federated Access. Typically, these contracts involve the library organization's Identity Provider Operator (IdP Operator) and electronic resources management staff as well as the Service Provider Operator (SP Operator) of the content or resource supplier. These provisions will hold both the Licensing Institution and the Resource Provider responsible for adherence to the Attribute Release Entity Categories applicable to the access of scholarly information resources and services in the context of federated authentication.
The goal of this document is to outline the various use cases in order to determine the overlap between user access, authentication and authorization, attribute release, and entity categories used in the federated authentication communication between the Identity Provider and the Service Provider. These use cases will be used to ground the contract language in real world examples.
This document is the first step towards a Contract Language Toolkit, which libraries and service providers will be able to use to quickly identify which entity category applies in a given use case, and then select language that will hold both parties to the requirements of the assigned attribute release.
This two-pronged approach, one technical and one legal, should provide robust and ongoing protections against unintentional sharing of user information, and give both parties tools to ensure that personal information isn’t being shared or collected.
The Entity Category Use Case Scenarios document is still open for comments, and the working group would love to see any questions that you may have about the document. Shortly, The group will be reviewing the comments and responding where necessary, and then moving forward with the creation of the contract language toolkit. The hope is to finish the Contract Language Toolkit near the end of 2021 and have the toolkit ready for libraries and service providers to use next year.