Search our bank of frequently asked questions using key words.
An access management federation provides:
1. A technical framework where service providers (publishers) and identity providers (organisations) agree to exchange encrypted user attribute data.
2. A trust authority which gives service providers appropriate assurances that a user passing their unique organisational ID can be considered a valid and current member of that organisation.
Shibboleth is Open Source software that provides single sign-on infrastructure and supports the SAML standard, as well as other protocols. Shibboleth is usually installed and managed by an institution or publisher.
OpenAthens supports many of the same standards, including SAML but is delivered as a cloud-based solution, supported by a service desk and team of technical specialists who are on hand to assist with setup, integration, and operation. OpenAthens and Shibboleth can happily interoperate, as they are based on many of the same international standards.
SAML 2.0 offers many different options on passing attributes, how to use PKI (certificates) and other implementation details. SAML is not ‘plug’n’play’ technology so it’s not possible to say whether the SAML tools you are using can be used in the OpenAthens Federation – which is why we offer free trials.
If you can’t use what you’ve already got, OpenAthens Keystone is a lightweight, simple-to-deploy product which can be deployed alongside your existing SAML tools.
The OpenAthens Federation supports the Interoperable SAML 2.0 Web Browser SSO Deployment Profile so it can operate in the same way as every other access management federation.
IP recognition tools and organisational username/passwords are poor substitutes for federated access management. These access methods are inherently insecure and can’t provide users with personalisation features. To enable personalisation, users would need to create a personal account with each publishing platform they want to access which creates another barrier to usage. It’s also more difficult to identify misuse or provide any kind of meaningful statistics as IP only recognises the organisation, not individual users.
Federated access management means publishers don’t need to expose themselves to IP address spoofing or the sharing of institutional username/passwords, both of which are inherently vulnerable to content piracy methods. In addition, the OpenAthens service monitors logins using a number of tools which trigger notifications or intervention on account usage.
As a federated identity and access management solution, OpenAthens provides the optimal user experience for users accessing digital content and services on and off-site. Users can access personalisation features whilst preserving their privacy as their user ID is linked to encrypted attribute data which is passed with their consent from their organisation to the publisher or service provider.
OpenAthens uses SAML attributes to ascertain what content users are entitled to access. The ‘eduPersonTargetedID’ attribute can be used for personalisation features that are based on values specific to each service provider.
No, because OpenAthens only requires a web browser so there is no difference between a users on-site or off-site experience. OpenAthens is also optimised for desktop, laptop and mobile devices.
A persistent unique identifyer can be mapped to the user’s existing record when they are prompted to log-in via federated access management, preserving their personalisation choices.
If a user is granted an account by their host organisation they can gain access as normal. The OpenAthens administrator sets up the temporary user account and its expiry date.
There are default Federated attributes which can be used to identify the organisation that a user belongs to (scopedAffiliation), as well as the individual user (targetedID). scopedAffiliation allows sufficient granularity to identify individual sub-organisations within larger consortia. Further attributes are available which add yet more granularity (e.g. role, speciality or entitlement) and these can be configured on the subscribing organisations’ side on a per-publisher basis.
Users personal data can only be shared with a publisher with the consent of their customers. User managed access (UMA) is an option for Identity Providers as a means of managing the user consent process.
Most access management federations such as the OpenAthens Federation have an attribute release policy that allows personally identifiable information to be exchanged in a way that meets data protection governance and compliance requirements (including GDPR).
If your existing records include the user’s organisation, you can add a step to the login user journey so that when a user logs in with their existing record, you can prompt them to login via their federated access management route. When they are returned to your platform post-login, a persistent and unique identifier for that user will be passed in the background which you can use to map to that user’s existing record. The same process can work in the reverse direction, e.g. if a user logs in via their federated access management route, you can choose to display a prompt such as “already have a MyProduct account? Click here to link the records.”
OpenAthens works with all the major link resolvers, so links which route users to your content via their organisation’s login point can be added by customers without any additional effort.
Yes – OpenAthens products for content providers uses OpenID Connect, a lightweight technology used by PayPal and Google to handle secure single sign-on. This brings all the benefits of SAML to publishers without requiring content providers to implement it.
Yes, OpenAthens Keystone will work with these platforms, provided you are able to install plugins. You don’t need system files access. This is one of the benefits of our new cloud-based service over SAML-based products.
Our clients decide how they are represented in the OpenAthens service. Some customers are represented as consortium-type organisations because each of the constituent parts has its own subscriptions. Content providers need to be able to distinguish between users from different entities within a consortium so the appropriate entitlements can be authorised. This also helps your customers adhere to their licence conditions.
The annual subscription cost depends on the number of organisations accessing a publisher’s content via OpenAthens software and/or services. There is a one-off setup fee, which is payable only in the first year. We can provide a tailored quote based on your specific requirements.
The initial setup and ongoing support of all other access management federations was made possible through the allocation of public funds because academic and research funding bodies in many countries saw the benefits of enabling the adoption of standards such as SAML and Shibboleth. OpenAthens does not receive any such funding, and is therefore the only access management federation available for commercial organisations to join. This simplifies a content provider’s options for enabling access: why not route users from commercial organisations to the same access point used by your academic, research and healthcare customers?