Authentication methods
Owning group | ERES |
---|---|
Type of documentation | Documentation |
As-of date | Jun 5, 2024 |
Purpose
Document current authentication practices at UC campuses.
Explore trends and options available for non-IP based authentication and optimizing user experience.
Authentication Methods used at each campus
Campus | Primary Method | Additional Methods | Potential Methods |
---|---|---|---|
UC Berkeley | EZproxy | VPN (Stand-alone application), Shibboleth |
|
UC Davis | VPN (Stand-alone application) | Shibboleth |
|
UC Irvine | VPN (Stand-alone application) | Shibboleth |
|
UC Los Angeles | VPN (Stand-alone application) | Shibboleth, Other Proxy Server |
|
UC Merced | VPN (Stand-alone application) | Shibboleth |
|
UC Riverside | VPN (stand-alone application) | Shibboleth | Waiting on approval of OpenAthens |
UC Santa Barbara | EZproxy | VPN (Stand-alone application) | UCSB is in process of moving from locally hosted EZproxy to OCLC hosted (August 2023). |
UC San Diego | VPN (Stand-alone application) | Shibboleth |
|
UC Santa Cruz | OpenAthens | VPN (Stand-alone application), EZproxy (locally hosted - retirement Summer 2024) |
|
UC San Francisco | EZproxy (cloud-hosted) | VPN (Stand-alone application and browser plug-in) |
|
CDL | VPN |
|
|
Questions to consider - knowledge building notes from meetings
Notes 9/28/2023:
Issues with improper use of database (excessive downloading) and potential violation of license terms when access using shibboleth. Multiple notifications by publisher resulted in campus IT responding with repeated messages that everything indicated this was an authorized user. However, after a campus meeting (campus IT, library IT and library administration) with the publisher, given multiple notices that shibboleth access would be terminated for the entire campus - then campus IT confessed difficulty in locating the user (common trend in the interest of security/privacy, faculty deploy software generating new IP address with every computer session). Campus IT was unaware of a license agreement containing a clause that holds the UC responsible for educating authorized users on acceptable methods of research when using a proprietary product. Implementing shibboleth now separates librarians from the process of identifying the user directly with library IT (as is tradition with IP address authentication). Campus IT manages the entire authentication system for millions of shibboleth uses daily and thousands of systems. The warnings from the publisher, which were forwarded by library IT to campus IT, highlighted the difficulty getting Campus IT to refocus beyond merely confirming the user is ‘authorized’ but trying to convey the authorized user’s behavior was prohibited under terms of the license. An ‘authorized user’ can still violate the contract terms. The library had no workflow/communication system to intervene given the miscommunication and this was the first reported shibboleth breech.
Although CDL licenses the content on behalf of each campus, there is an acceptance that “campuses” will “inform users” about proper use of the resources. Public-facing documentation to inform users:
https://library.ucdavis.edu/accessing-resources-with-single-sign-on/ (how many shibboleth connects campus IT now manages, outside the library’s realm of directly communicating with the user)
https://guides.lib.berkeley.edu/text-mining (an example of informing the user in compliance with license agreement)
https://www.lib.berkeley.edu/about/conditions-of-use-for-electronic-resources (library policy to enforce user compliance)
As an excerpt from license, has the following contract terms, distinguish between ‘excessive downloads’ and “authorized text and data mining methods” - and language where UC has accepted responsibility to ‘inform the users’:
IV.2.b.vi. Text and Data Mining.
UC and Authorized Users may:
▪ access the text and data mining service online via an API at [publisher developer portal] to continuously
and automatically extract and index and/or process information from the Subscription Content and
load and integrate the results (the “TDM Output”) on UC’s servers or text-mining system for access
and use by Authorized Users; and …
UC will exercise the same degree of care and apply the same level of security control with respect to the
use of the text and data mining service online and the activities under this Agreement as with UC’s own
products and services. UC agrees to and accepts on behalf of its Authorized Users and engaged third
party vendor(s), (if any), the limitations and conditions of use of the text and data mining service. UC will inform Authorized Users and the engaged third party vendor(s) (if any) of the terms of this Agreement and their required compliance with the conditions.
As additional restrictions in this usage grant, UC and its Authorized Users may not:
▪ use any robots, spiders or other automated downloading programs, algorithms or devices to search, screen-scrape, extract, or index any [publisher] website or web application, other than the text and data mining service online via an API or as permitted under this Agreement;
▪ create derivative products or services and/or utilize the TDM Output in a way that would directly compete with the value of the final peer reviewed journal articles or the ScienceDirect online service, or directly compete with, substitute and/or replicate any other existing [publisher] products, services and/or solutions or enhance the products or services and/or solutions of the engaged vendor or otherwise commercially use or allow commercial use of the TDM Output;
▪ perform text and datamining for a third party; or …
Although the library IT viewed shibboleth as a replacement for an aging server supporting the VPN, this breech introduces many questions about who is responsible to ensure this new workflow is inclusive of new participants (campus IT) and contractually compliant.
Notes 8/3/2023:
See SILS-ERESOURCES-L thread “Authentication Methods Documentation Page - campus entries” for full discussion on VPN clients and IPv4/IPv6.
Some publishers implement IPv6 without notifying library, so resource stops working until additional ranges are provided to publisher.
Some publishers (or their underlying IT providers) turn on IPv6, but are unable to accept library IPv6 list for authentication - ask them to disable IPv6 for now
Tools for troubleshooting IPv6:
https://test-ipv6.com/ will report back both IPv4 and IPv6 results if both are available
use the web browser plugin "IPvFoo."
Notes 6/1/2023:
Authentication/authorization: largely managed by IT
UCR & UCSC working on OpenAthens implementation
UCD - Library ITIS contacts Campus ITIS and has to date set up several SSO accounts:
Accessing Resources with Single Sign-onSeamlessAccess.org - true Single Sign On This particular group of vendors permits a single sign on and then within the group of publishers, users need only authenticate once
Contract Language Model License Agreement 1.0 - SeamlessAccess
Notes 6/8/2023:
UCR & UCSC working on OpenAthens implementation
UCR waiting on approval by campus regarding the license, privacy/security issues, for OpenAthens. This was the result of campus survey finding overwhelming response from users that they wanted a better authentication process, followed by UCR making a commitment to get behind users with financial commitment to invest in additional authentication resources.
Possible problem with single sign on managed by campus - other units on campus can effect Library access; UCD problems with Oxford SSO lasting for 11 months now
Also issue with longevity of IP authentication given future browser updates that may obscure IP addresses.
UCD: Current issues with IP authentication include lack of support for IPv6
SSO can be incredibly time consuming to setup - process varies for every platform. OpenAthens
SL (CDL): how does OpenAthens work with walk-ins?
Carla will check
OpenAthens likely passes on limited user data (just confirming a user is affiliated with a campus)
ALA source on future of authentication
UCSD: only implemented SSO in a few cases where necessary. Lots of time involved. Worrying to do it more broadly, but want to get ahead of it since providers offer SSO to users who may get caught not being able to use it.
UCI: we have signed licenses where providers guarantee access, but if they switch to a method that is untenable, then would be a breach
cases of providers switching to SSO only
Notes 6/15/2023:
UCR: license outcome not looking good between OpenAthens and campus IT folks
UCSC: working on proposal. excited to potentially get rid of EZproxy and VPN, had been waiting for UCR to pave the way with first license, but perhaps this will be reversal and UCSC can be pathfinder
UCD: library IT has worked with campus IT on dozens of Shibboleth integrations. Oxford migration in July last year broke their SSO, and couldn’t get any traction from campus IT until recently.
UCSC: Ebsco claims that they become the intermediary for setting up SSO - this would save campuses staffing resources dedicated to this time consuming process of set-up and troubleshooting
The SILS mission is to transform library services and operations through innovation and collaboration. The future is shared!
Question? Contact AskSILS-L@ucop.edu