Ted Koppel The Library Corporation
Authentication –Validation of user credentials –Based on individual –Usually local function Authorization –Validation of institutions permissions / contracts –Almost always a remote function –More involved with license constraints
We know the players (next slide) but We dont yet know all of their needs We know some of the goals and We know of some options to reach those goals but Not all options meet all needs. In fact, some are inimical to meeting these needs HOWEVER We know what we want to avoid
Needs access to information / data Understands need to present credentials ONCE Wants his anonymity but also wants his privileges Carries attributes (Grad Student in Engineering School) that provide Entitlements to certain resources
Examines and approves/disapproves credentials Depends on institutional structure –Library Borrower Database –Campus-wide login (university) –State-supported databases (OPLIN, FindItVa) Needs to return a yes or no and send it upstream
The entity through which the User derives his entitlements May be the same as the Authenticator Controls the privileges of individuals and groups Various levels: –Department –Library –Campus –Statewide
May be the ILS May be a Library or Campus-wide Portal May be the Authenticator and/or the Licensee Has to present authentication screens to users and manage the results and send them upstream Often has to handle multiple authentication schemes
Can handle rudimentary authentication itself if required Acts as pass-through for authentication information but Must be able to trust the varying sources of authentication that it receives Has to translate authentication from source to multiple targets
Wants to sell data, have it used and respected, while Restricting access to valuable intellectual property and protecting investment Must be able to trust the authentication from all of the downstream sources
Contradiction: anonymity versus personalization (the user) Contradiction: wide use and acceptance versus branding (database provider) Contradiction: needs of the academic and public library sectors (wanting identity masking) versus commercial information providers (needing billable accountability)
tried and true mechanisms –IP address permission –Referring URL validation –URL-embedded userid/password –Vendor-provided script –Local or SIP2/NCIP password verification Limited and arcane
Shibboleth (or similar) –Builds on trust relationships between parties –Allows local authentication by any means –Transmits the fact of approval and attributes of the user but –Preserves personal anonymity through use of –communities and clubs as entities that receive privileges
X509 (or other) digital certificates issued by authenticator PAPI = Point of Access to Providers of Information (local authorization, Spain) Athens (single sign-on scheme, UK) And various others
Creation of subcommittees to draft mission statements for pre-standards activity Develop use cases to understand all aspects of authentication Examine and evaluate existing work in authentication Determine what approach(es) might be best practices or (at worst) develop a new authentication scheme
Certifying the user (or organization) from the Authenticator to the Data Provider, by way of the Metasearch provider, in such a way that the messages can be trusted from the source to the destination, so that the services to which the user is entitled can be delivered.
Authentication to Licensed Resources (JSTOR) (discusses JSTORs approaches to authentication) Access Management for Networked Information Resources by Clifford Lynch (overview article) Authorization/Authentication for Patron Remote Access to Electronic Resources (powerpoint by Kerry Bouchard) htm (useful visual introduction to issues relating to authorization) A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources by Clifford Lynch, editor wp.html
Ted Koppel The Library Corporation