Federated IdM for Libraries

SeamlessAccess.org and FIM4L, Two Sides of the Same Coin

Logos (from left to right): SeamlessAccess.org and FIM4L

The steady progress of digitisation of our everyday lives does not come without its challenges despite all the opportunities it creates. One of the big challenges is data protection, which is also at the center of an overall heated discourse, especially in the context of cooperation potential enabled by digital innovation. The more data is exchanged between participating institutions, the bigger the potential risk for a data security breach.

Federated identity management allows sensitive personal data, such as name or email address, to be stored and processed solely in the user’s home organisation. However, data of this kind can also be sent from the home organisation to a service provider, depending on corresponding agreements; in addition to anonymous information such as “user is an employee of our institution”, “user name is John Doe” would also be conceivable. It is crucial to have precise stipulations in place which define the flow of personal attributes, or summarise which attributes can be transferred in compliance with the GDPR. This applies especially to the communication between libraries with access to user information and academic publishers which provide services.

Support for Libraries by FIM4L

The FIM4L working group was formed to advise libraries and represent their interests. The FIM4L charta summarises recommendations for libraries worldwide to support them in providing users with privacy-compliant access to resources through federated identity management. As a founding member of FIM4L, DAASI International CEO Peter Gietz is very committed to the dissemination of these recommendations. Ultimately, the goal is not only to advance the digitisation of research, but also to promote research cooperation in general.

On Wednesday, March 23, 2021, Peter Gietz gave a presentation together with Gerrit Gragter, the director of IT services at the Berlin State Library at the 74th DFN conference. This presentation looked at both sides of federated identity management for libraries. Mr Gragert, for his part, addressed the perspective and activities of academic publishers and their relevance for libraries. Mr Gietz looked at the technical side and presented the FIM4L projects and measures as well as their perspective on data protection. Moreover, he emphasised the advantages of Security Assertion Markup Language (SAML) which enables the exchange of authentication, attribute, and authorisation information. This information exchange allows users of organisation A to access resources of organisation B within a federation without requiring the transfer of personal data.

In this context, both presenters introduced two central initiatives, SeamlessAcess.org and FIM4L. SeamlessAccess.org was initiated by publishers and originally known under the acronym RA21. The main focus was to facilitate the application of SAML technologies. For this purpose, they created aJavascript easy to be integrated in websites which is supposed to simplify the discovery process (users selecting their home organisation). The proverbial other side of the coin was represented by FIM4L which is rather library-driven. Their main focus is to ensure the protection of the library users’ data. Therefore, the working group recommends SAML-based communication between libraries and publishers. This way, if a publisher ever needed personal information, they are unable to obtain it without the user’s knowledge. Instead they would be required to obtain the necessary data by a corresponding form on their own website. Finally, there is also a debate about using so-called consent modules which give users the option to simply agree to the transfer of their personal data to the publisher.

The Future of Federated Identity Management in Libraries

For libraries FIM is a highly politcal topic and the still common practice to exclusively authenticate via the institution’s IP address to use services of a publisher, grants libraries certain liberties vis-à-vis publishers. Nonetheless, libraries will increasinly have to switch to FIM technologies as they are driven to do so both by users, who expect single sign-on using their own accounts, and by publishers, who invested in SAML technology. Thus, within the means of the EU project AARC we created a pilot service through which IP-based authentication remains a possibility for libraries even within SAML-based infrastructures. Moreover, at FIM4L we advocate for publishers to only receive non-personal data from libraries”, Peter Gietz summarises the topic.

As a conclusion to the presentation, Peter Gietz gave an outlook according to his expectations for the future:

  • Publishers will demand more FIM-based contracts and decline IP-based authentication
  • Libraries will want to keep IP-based authentication as an option
  • Users will develop a stronger awareness of how their personal data is processed
  • Library associations will make corresponding recommendations

The DFN association published the presentation slides online, they are accessible for anyone interested (German only).

[First part by Gerrit Gragert]
[Second part by Peter Gietz]

Consulting by DAASI International

As a service provider in the field of Identity & Access Management with great affinity to research, GDPR-compliant implementation of FIM is a matter of the heart for DAASI International. Gladly, we will support any interested institution to join an already existing federation, i.e. the DFN-AAI oder the global interfederation eduGAIN.

Menu