Upload
juliette-impson
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
ESPRESSO (ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON) UPDATE
Heather Ruland Staines
Society for Scholarly Publishing, June 2011
ESPReSSO Timeline
In 2009, NISO launched a new Chair's Initiative—a project of the chair of NISO’s Board of Directors, focusing on perfecting a seamless, item-level linking through single sign-on authentication technologies in a networked information environment.
Fall 2009: Working Group meetings begin. 2010: Sub-groups meet. Feeback collected from
publishers. May 24, 2011: Draft posted for 30 day public
comment. (Comments close on June 22) Late Summer 2011 (target): Publication of
Suggested Practice
The Challenges
Authentication has become complex for several reasons: Users now have more options as to how and where to enter a
publisher’s site. This makes a consistent, coherent user experience more difficult.
Users may experience multiple authentication mechanisms. The user’s physical location could affect the browser flows and authentication mechanisms they see. Within the publisher site, the user might navigate from a public page to a protected page, triggering authentication.
Publishers must present and support multiple authentication mechanisms, necessitating a usable authentication GUI interface that combines multiple methods and that can be used successfully by people with a low familiarity with technical concepts.
Campuses have deployed various approaches to authentication, some requiring users to be able to use, handle, and manipulate proxy-prefixed URLs that are incomprehensible to the average person.
Goal of the Recommendations:
The recommendations specifically address: typical browser flows the sequence of pages presented to users page layout, what information to include in each of those
pages consistent GUI elements additional features and functionality to provide users with
added value. Provide users with a consistent experience across a multitude
of sites and situations. Reduce user confusion and aborted sessions during the
discovery/login process by using a consistent set of visual elements
Be straightforward and easy to implement for both IDP and SP sites.
The Team
Last, First CompanyCarmody, Steven Brown UniversityCervone, Frank Purdue University CalumetChandler, Adam Cornell University LibraryCiuffetti, Pete CredoReferenceDale, Andy OCLC Online Computer Library CenterFerry, Kristine University of California, IrvineIngham, Andy University of North Carolina Chapel Hill LibrariesKaplanian, Harry Serials Solutions, Inc.Kennedy, David Johns Hopkins University LibraryKoppel, Ted Auto-Graphics, Inc.Lengwenat, Ms. Ulrike SpringerNoerr, Peter Muse Global, Inc.Norris, Lyn EduservPatel, Kishor ProQuestPesch, Oliver EBSCO Information ServicesStaines, Heather Springervan Lierop, Pieter Infor Library and Information SolutionsWalsh, Robert EnvisionWare, Inc.Zhang, Foster Johns Hopkins University Library
What have we accomplished?
Deliverable Lead and Team
Standardizing terminology Ted KoppelKristine Ferry, Steven Carmody, Kishor Patel, Heather Staines, Robert Walsh, Andy Dale
Standardizing user interface presentation
Andy Ingham and Steven CarmodyPeter Ciuffetti, Frank Cervone, David Kennedy
Identify approaches that allow search technologies to leverage existing Web SSO authentication user sessions when contacting backend Provider sites
Harry KaplanianPete Ciuffetti, Steven Carmody, Andy Dale, Ted Koppel
Provide plans for the promotion and adoption of these Recommended Practices
Heather StainesFoster Zhang, Harry Kaplanian
Accomplishments
Agreement to include research and recommendations from other working groups such as: REFEDS Kantara JISC The Shibboleth Group
Accomplishments
Include input from publishers and providers: Springer (MetaPress) Elsevier Nature Publishing Group Wiley Oxford University Press Cambridge University Press IEEE AIP Ithaka/JSTOR EBSCO H.W. Wilson Semantico High Wire IOP
Deliverable 1
Standardizing terminology Use cases describing the ways in which a browser
would arrive at a Service Provider, traverse a Discovery process, and arrive at a specific login. (library home page, federated searches, Open Web, also deep linking between documents and results either via OpenURL/link resolvers, or Crossref)
Develop a standard vocabulary of technical, business and policy-related terms used by Web SSO and Federated Authentication products.
Develop a set of “best practice” recommendations for the relationships between customers, licensing bodies, federations, and service providers.
Deliverable 2
Standardizing user interface presentation for user authentication Identify a preferred location for login Recommend to Service Providers a standard approach for
guiding the user to the desired authentication method Standardized GUI flows Easy identification of home site Guidelines to address the proliferation of Shibboleth
Federations Where branding can be displayed
Develop standardized approaches for handling automatic login when the url presented at the SP identifies the user’s preferred authentication method and/or authentication provider.
Develop a consistent approach/link syntax for campus-based software to present a deep link to a Service Provider which will trigger an automatic login process that bypasses the Discovery process.
Deliverable 3
Identify approaches that allow Federated Search technologies and portals to leverage existing Web SSO authentication sessions of a user when contacting backend Service Provider sites. Work with those package mechanisms that
currently support “delegated authentication”. Ensure that Service Providers have access to
the documentation they need to support this feature.
Deliverable 4
Provide plans for the promotion and adoption of these Recommended Practices to make the access improvements a reality 1. Marketing plan 2. Business case/justification will be
developed as part of the marketing plan.
Recommendations for Service Providers (SPs), Licensee Organizations (LO), and Identity Providers (IdPs)
SPs continue to support multiple authentication options during this time of transition.
SPs and LOs move quickly to reduce reliance on IP-based access control. There are many security issues with this approach and it is no longer adequate in today’s rapidly ubiquitous computing environment.
SPs and LOs move quickly to deprecate userids/passwords validated at the service provider site.
SPs and LOs move quickly to implement and use standards-based federated authentication.
Recommendations for Service Providers (SPs), Licensee Organizations (LO), and Identity Providers (IdPs) (con’t)
SPs adopt standard placement/wording of the login link on all the public pages on their site.
SPs present a standard approach (discovery) for guiding the user to the desired authentication method.
IdPs create a consistent experience as the user moves from SP to IdP to SP.
SP and IdP web designers insert branding at appropriate places in the flow to provide visual feedback that the flow is progressing as expected.
SPs offer a single url point of access for IP authentication and Federated Login.
Example of SP recommendations:
Example of IdP Recommendations:
Questions and More Information SSO website:
www.niso.org/workrooms/sso SSO Interest Group list:
www.niso.org/lists/ssoinfo SSO Charge:
www.niso.org/workrooms/sso/charge
Heather Staines [email protected]