What is an access management federation?

An access management federation provides:

1. A technical framework where service providers (publishers) and identity providers (organisations) agree to exchange encrypted user attribute data.
2. A trust authority which gives service providers appropriate assurances that a user passing their unique organisational ID can be considered a valid and current member of that organisation.

What is the difference between Shibboleth and OpenAthens?

Shibboleth is Open Source software that provides single sign-on infrastructure and supports the SAML standard, as well as other protocols. Shibboleth is usually installed and managed by an institution or publisher.

OpenAthens supports many of the same standards, including SAML but is delivered as a cloud-based solution, supported by a service desk and team of technical specialists who are on hand to assist with setup, integration, and operation. OpenAthens and Shibboleth can happily interoperate, as they are based on many of the same international standards.

We already use SAML products; can we use these to join the OpenAthens Federation?

SAML 2.0 offers many different options on passing attributes, how to use PKI (certificates) and other implementation details. SAML is not ‘plug’n’play’ technology so it’s not possible to say whether the SAML tools you are using can be used in the OpenAthens Federation – which is why we offer free trials.

If you can’t use what you’ve already got, OpenAthens Keystone is a lightweight, simple-to-deploy product which can be deployed alongside your existing SAML tools.

The OpenAthens Federation supports the Interoperable SAML 2.0 Web Browser SSO Deployment Profile so it can operate in the same way as every other access management federation.

We use IP recognition and/or organisational username/passwords to enable access – isn’t that enough?

IP recognition tools and organisational username/passwords are poor substitutes for federated access management. These access methods are inherently insecure and can’t provide users with personalisation features. To enable personalisation, users would need to create a personal account with each publishing platform they want to access which creates another barrier to usage. It’s also more difficult to identify misuse or provide any kind of meaningful statistics as IP only recognises the organisation, not individual users.

How does federated access management help secure my content?

Federated access management means publishers don’t need to expose themselves to IP address spoofing or the sharing of institutional username/passwords, both of which are inherently vulnerable to content piracy methods. In addition, the OpenAthens service monitors logins using a number of tools which trigger notifications or intervention on account usage.

How can OpenAthens help publishers to provide a better user experience?

As a federated identity and access management solution, OpenAthens provides the optimal user experience for users accessing digital content and services on and off-site. Users can access personalisation features whilst preserving their privacy as their user ID is linked to encrypted attribute data which is passed with their consent from their organisation to the publisher or service provider.

What personalisation options are available?

OpenAthens uses SAML attributes to ascertain what content users are entitled to access. The ‘eduPersonTargetedID’ attribute can be used for personalisation features that are based on values specific to each service provider.

Are there any difference in a users experience for on-site and remote access?

No, because OpenAthens only requires a web browser so there is no difference between a users on-site or off-site experience. OpenAthens is also optimised for desktop, laptop and mobile devices.

I’ve got existing users registered with my platform. If their organisation uses federated access management and they start connecting via that route, how can I match these user records?

A persistent unique identifyer can be mapped to the user’s existing record when they are prompted to log-in via federated access management, preserving their personalisation choices.

How can you manage temporary access for guests and walk-in users with OpenAthens?

If a user is granted an account by their host organisation they can gain access as normal. The OpenAthens administrator sets up the temporary walk-in/user account and adds an expiry date.

How can you restrict access to specific groups or individuals based on their role?

There are default Federated attributes which can be used to identify the organisation that a user belongs to (scopedAffiliation), as well as the individual user (targetedID). scopedAffiliation allows sufficient granularity to identify individual sub-organisations within larger consortia. Further attributes are available which add yet more granularity (e.g. role, speciality or entitlement) and these can be configured on the subscribing organisations’ side on a per-publisher basis.

Can we capture information about users, such as their name and email address?

Users personal data can only be shared with a publisher with the consent of their customers. User managed access (UMA) is an option for Identity Providers as a means of managing the user consent process.

Most access management federations such as the OpenAthens Federation have an attribute release policy that allows personally identifiable information to be exchanged in a way that meets data protection governance and compliance requirements (including GDPR).

I’ve got existing users registered with my platform. If their organisation uses federated access management and they start connecting via that route, how can I match these user records?

If your existing records include the user’s organisation, you can add a step to the login user journey so that when a user logs in with their existing record, you can prompt them to login via their federated access management route. When they are returned to your platform post-login, a persistent and unique identifier for that user will be passed in the background which you can use to map to that user’s existing record. The same process can work in the reverse direction, e.g. if a user logs in via their federated access management route, you can choose to display a prompt such as “already have a MyProduct account? Click here to link the records.”

Does OpenAthens work with link resolvers?

OpenAthens works with all the major link resolvers, so links which route users to your content via their organisation’s login point can be added by customers without any additional effort.

My product has a mobile app – can OpenAthens be used there?

Yes – OpenAthens products for content providers uses OpenID Connect, a lightweight technology used by PayPal and Google to handle secure single sign-on. This brings all the benefits of SAML to publishers without requiring content providers to implement it.

Our content is hosted on WordPress/Squarespace/another lightweight hosting provider. Will OpenAthens software work on these platforms?

Yes, OpenAthens Keystone will work with these platforms, provided you are able to install plugins. You don’t need system files access. This is one of the benefits of our new cloud-based service over SAML-based products.

We have a single subscription record for a customer, but OpenAthens says the customer consists of multiple organisations. Why is this?

Our clients decide how they are represented in the OpenAthens service. Some customers are represented as consortium-type organisations because each of the constituent parts has its own subscriptions. Content providers need to be able to distinguish between users from different entities within a consortium so the appropriate entitlements can be authorised. This also helps your customers adhere to their licence conditions.

How much does it cost for a content provider to use OpenAthens?

The annual subscription cost depends on the number of organisations accessing a publisher’s content via OpenAthens software and/or services. There is a one-off setup fee, which is payable only in the first year. We can provide a tailored quote based on your specific requirements.

Other access management federations are free to join – why do I have to pay to join the OpenAthens Federation?

The initial setup and ongoing support of all other access management federations was made possible through the allocation of public funds because academic and research funding bodies in many countries saw the benefits of enabling the adoption of standards such as SAML and Shibboleth. OpenAthens does not receive any such funding, and is therefore the only access management federation available for commercial organisations to join. This simplifies a content provider’s options for enabling access: why not route users from commercial organisations to the same access point used by your academic, research and healthcare customers?

Can't find an answer to your question?