Open Athens
Search OpenAthens Open Athens

Guest blog: Federated access management – has it failed the end user?

Catherine MicklethwaiteBy Catherine Micklethwaite
Category - Blog

Wednesday 12th December 2018

In July, we hosted a webinar to discuss whether federated access management had failed the end user. We’ve since caught up with one of our guest speakers, Catherine Micklethwaite – library and information services manager, Strategy & Improvement Directorate, Torbay & South Devon NHS Foundation Trust – to find out a little more on the subject.

Using IP-based access to enable users to access content online is seen by many organisations as the most seamless and user-friendly authentication method. But what happens when these users are attempting to access resources off-site?

There are various mechanisms available for enabling users to piggyback onto their organisation’s IP address range. Questions start to arise around what to do when a large organisation like the UK’s National Health Service (NHS), an OpenAthens customer, is unable to utilise IP-based access.

And what about universities, for example, where many students and researchers need access off-campus, and increasingly these days, around the world on distance-learning courses?

The NHS context

The NHS is comprised of hundreds of organisations, ranging from individual Trusts and commissioning organisations, to GP surgeries. Resources purchased at national level are also made available to thousands more organisations that provide NHS-commissioned services.

Other resources are purchased at regional or local level and are predominantly licensed for local Trust use only. A single IP address range is purchased for all NHS Trusts, which means that Trusts cannot use IP addresses to authenticate access to locally purchased resources.

Many NHS staff work in the community without a fixed office-based location, so would not be able to access the IP network. Additionally, it would be impossible to add all the IP address ranges of the wider organisations that provide NHS-commissioned services.

This year marks the 70th anniversary of the NHS, and seamless and easy online access to digital content is more essential than ever as it plans for the future.

Is federated access management the solution to accessing digital content remotely?

One answer is federated single sign-on from providers such as OpenAthens, which is a popular choice for many sectors. Federated single sign-on is designed to answer the WAYF question – where are you from? If the answer is from an authenticated source, users get access to a resource. Simple.

But are these products the panacea or do they come with their own problems and limitations? Are they failing the end user?

What are the challenges with federated access?

Federated single sign-on can start to fall down when we consider the user journey. There is huge variation in authentication routes and terminology used by different publishing websites.

For instance, on one website a user may need to find the option to authenticate via “OpenAthens access” and, on another, via “Federated Access Management access”. This in turn can lead the user scrolling through a long list of organisation names to find their own.

Others may have to define their country first – if the user is an international distance-learning student, do they pick their own country or the host nation? They then select their organisation. If, for example, the student belongs to an alliance of organisations like the University of London, which college do they choose?

It all starts to get a little convoluted and this process is often replicated on each publisher’s website. There must be a means of bridging identifiers.

Within the NHS, users are encouraged to access resources via a national portal, where a more seamless approach is available. Links take users directly to the correct sign-in page, they enter username/password only once per session and they get immediate access to various sites (provided they go back to the national portal each time).

But this portal idea falls down if a user opts to utilise third party search tools, such as Google Scholar or PubMed, which link directly to publisher websites without any WAYF links.

Another issue is that not all publishers offer federated single sign-on. Most of the large publishers do, but many smaller publishers struggle to do this without the capacity or knowledge.

A downside of this unwieldy user journey is that human nature will seek the easiest route to obtain information, and this may happen to be via websites offering illegal access in a simpler and more streamlined fashion.

The challenge for publishers is to continue providing the advantages of federated single sign-on – which include trust, protection of user privacy and control – but with the seamlessness of IP-based access.

How is this challenge being addressed?

Resource Access for the 21st Century (RA21) is a joint initiative between STM and NISO aimed at making federated identity simpler and more standardised for the user. The RA21 initial pilots have just completed and RA21 are now looking at the specific needs of healthcare professionals through their new hospital/ clinical working group.

RA21 is a voluntary code that will allow providers to remember where users are from whilst still preserving user privacy and negating the need for users to enter passwords multiple times.

In theory, RA21 could improve access and result in a much-improved user flow through standardised user journeys and terminology.

However, as a voluntary system, it may prove difficult to ensure all publishers sign-up, particularly the smaller ones. RA21 is trying to help these smaller publishers get on-board by making the design patterns and code open source.

OpenAthens has also helped to address two of these major barriers to access through their Redirector and Wayfinder products.

The Redirector service provides one-step access to subscription and other paid-for content by requesting credentials when users are off-network and directly serving the content when in IP range.

The freely available organisational discovery tool, Wayfinder, makes it easier for users to find their home organisation to log-in through geo-location or typing their home organisation or email into the search bar.

In summary…

A solution to the problems associated with federated single sign-on and user journey must be found to enable on and off-site seamless access to resources for a wide variety of organisations within the NHS.

The ultimate user journey would be for users to enter their username/password just once, with each subsequent website then able to verify and give access to those WAYF details. This entry point would then be remembered on that device/account for future access.

This will require a much larger cohort of publishers than there are now to adopt standards-based federated single sign-on technology and RA21 recommended user journeys to online content.


Share this article