
On 26.02.20 13:28, Koren, Meshna (ELS-AMS) wrote:
We know what the risk for Elsevier would have been if we allowed a user to be remembered, and clearly we'd need to be able to manage mass download. I was more wondering whether allowing the user to be remembered for an extended period of time would in some way be inconvenient to the IdPs/institutions. Would we be breaking some unwritten FIM rules by remembering a user for 3 month (this is just an arbitrary lenght)?
I don't think this would break unwritten rules, but this could cause problems. One issue could be that users only allowed to access the licensed content as walk-in-patrons could get access from everywhere by simply visiting the library every 3 months - another issue you would have to address in license contracts (not just new license contracts but all existing ones...). Another issue could be users affilitated with multiple institutions, they would need an option to "be forgotten" (or you would have to allow multiple simultaneous logins as SpringerLink does). I think such a remember me feature also could make things more complex for the library help desk. As already mentioned this would add usage from users no longer affiliated with the institution which might have unwanted effects.
From the IdP perspective that would mean that users that have signed in to IdP every day would then sign in every 3 month. It would also mean that a user that is disabled through IdP (because they leave the institution) can still access institutional subscriptions for another 3 month.
Does anyone keep track of that? Does anyone care? Is a daily control of usage expected/desired by anyone? Is there some other reason that we should keep a user signed in for 3 month?
We keep track of how many authentications occurs for SPs, but we don't use that information for any evaluations. Of course we are not allowed to keep track of how often individual users authenticate.
Note that the ScienceDirect SP currently is in the DFN-AAI Advanced which requires user information to be updated within two weeks. Some institutions that are not able to meet this requirement might question why Elsevier requires the Advanced level when users can access ScienceDirect for several months after leaving the institution via the remember me feature.
Best regards, Bernd