
Hi,
Just want to say I agree with Meshna that "This system is too complicated for users to be able to make informed decisions." About the matter at hand.
Best, Jos
________________________________ From: FIM4L fim4l-bounces@lists.daasi.de on behalf of Bernd Oberknapp bo@ub.uni-freiburg.de Sent: 15 March 2021 18:03 To: fim4l@lists.daasi.de fim4l@lists.daasi.de Subject: Re: [Fim4l] LexisNexis Advance
Hi Meshna,
this could be addressed in the way I've described - as a result there only would be one category with an optional pairwise-id/eduPersonTargetedID, and the user would have the choice.
Note that enforcing the release of a pairwise-id/eduPersonTargetedID that actually isn't required for a service is problematic - if a users would object to releasing this attribute this would get the IdP operator or library into trouble. Giving the user the choice solves this problem.
Best regards, Bernd
On 15.03.21 17:35, Koren, Meshna (ELS-AMS) wrote:
Hi Jos,
Please also look into the REFEDS entity categories and the recent work there. If your recommendations to librarians propose some new concepts or terminology (transitory access), or parallel decision making, that's going to cause a lot of confusion.
We're trying to build a system where the attribute release is automated while at the same time appropriate. If an SP requests pseudonymous entity category but the librarian makes a different decision, what happens then? The system breaks, the user has bad experience, people spend time troubleshooting and fixing.
I understand it may be difficult for some people to take my word for it, but we, too, take the user privacy seriously. And libraries should be guarding user data, by all means, they just need to be informed
correctly.
Thanks,
Meshna
*From:* Heather Flanagan hlf@sphericalcowconsulting.com *Sent:* Monday, March 15, 2021 16:26 *To:* Jiri Pavlik jiri.pavlik@techlib.cz; Koren, Meshna (ELS-AMS) M.Koren@elsevier.com; Jos Westerbeke jos.westerbeke@eur.nl *Cc:* fim4l@lists.daasi.de *Subject:* Re: [Fim4l] LexisNexis Advance
**** External email: use caution ****
I know it does not help matters, but I need to point out that eduPersonTargetedID is actually deprecated due to security concerns. Instead, organizations are encouraged to use the SAML attribute, subject-id
(https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.oasis...
Heather Flanagan — Translator of Geek to Human https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsphericalc...
On Mar 15, 2021, 8:18 AM -0700, Jos Westerbeke jos.westerbeke@eur.nl, wrote:
Hi Jiri, Bernd et al, thank you for this discussion. This is very meaningful for downplaying the FIM4L recommendations 4.A and 4.B to a more simple level. We now have two recommendations which you have to (unfortunately) choose: 4.A. Transitory Access - eduPersonTargetedID as optional would be fine for this. 4.B. Personalized Access - eduPersonTargetedID required. - And for 4.B the recommendation is to let it be for the SP side to offer a profile, voluntarily to configure by users. So that in any way IdP's do not have to release PII. (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fim4l.org%2F%3Fpage_id%3D257&data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980848987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4kH%2FirgOHDYzhkrHRoi0Ao1Hfs8aL85UtzyG4%2F1J2F0%3D&reserved=0) What would we actually recommend for librarians? Wouldn't it be nice to have just one option? I think it is too difficult for librarians to choose here. Reading the discussion, we can say that we cannot recommend going just for 4.B. And if librarians consider switching form IP to SAML they are very suspicious about privacy. Can we recommend for both IdP's and SP's to go for 4.A? What about recommending 4.A and have the option for 4.B when there is an agreement between IdP and SP about creating profiles, anchored in a contract? Should we recommend a contract clausula alongside 4.B? As far as I understand, I'm aware of what Meshna says: If you opt for 4.A then it is simply not possible to have a profile, which is very annoying if not impossible for our patrons. Best, Jos
------------------------------------------------------------------------
*From:*FIM4L <fim4l-bounces@lists.daasi.de> on behalf of Jiri Pavlik <jiri.pavlik@techlib.cz> *Sent:* 15 March 2021 14:58 *To:* Koren, Meshna (ELS-AMS) <M.Koren@elsevier.com> *Cc:* fim4l@lists.daasi.de <fim4l@lists.daasi.de> *Subject:* Re: [Fim4l] LexisNexis Advance Hi Meshna, thanks a lot for the comments. At Elsevier SP metadata [1] I can see: eduPersonEntitlement (required) eduPersonTargetedID (optional) in DFN-AAI, IDEM or Australian Access Federation. At the SP metadata in eduGAIN / UK Federation there are no requested attributes. At the SP metadata in eduID.at, SWITCHaai, InCommon, RENATER I
can see:
eduPersonEntitlement (required) eduPersonTargetedID (required) It illustrates different approaches around the world how to express optional ePTID release in SP metadata and a challenge for one appropriate SP metadata in eduGAIN serving globally. To me eduPersonEntitlement (required) eduPersonTargetedID (optional) seems as the most appropriate. Cheers Jiri 1.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmet.refeds...
On Mon, Mar 15, 2021 at 12:01 PM Koren, Meshna (ELS-AMS) <M.Koren@elsevier.com <mailto:M.Koren@elsevier.com>> wrote: Please allow me to add something to this discussion. "The university students and staff are free to use personalisation at Lexis Nexis, Elsevier, EBSCO, ProQuest services if they want to so eduPersonScopedAffiliation (required) eduPersonEntitlement (required) eduPersonTargetedID (optional)..." The students and staff can only use personalization when the IdP releases ePTID (or pairwiseID), otherwise they can't. I am not sure that this is clear from the metadata nor that the labels we use to describe the required attributes are very clear on what 'optional' means. For example, when a student accesses ScienceDirect they can read subscribed articles whether or not ePTID has been released for them, but if they want to 'create account' because they would like to save searches, alerts or their search history, they can only do that if the IdP has released a persistent identifier for them. Otherwise they can't, because there's nothing in their SAML assertions that allows us to recognize the returning individual. So we are working towards requiring a persistent ID. The personalization remains optional for the user. That may not be the same for other SPs, but it is valid for Elsevier. Kind regards, Meshna ** *Meshna Koren* /Product Manager II/ */Product Management - Identity and Access/**/-/**/Research Products/* *//* */Elsevier BV/* /Radarweg 29, Amsterdam 1043 NX, The Netherlands/ /m.koren@elsevier.com <mailto:m.koren@elsevier.com>/ // /Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login/ // /Elsevier Access Support Center:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fservice.el...
/for your questions about which access methods does Elsevier support, how to set them up, how do they work for users.../ // *From:* FIM4L <fim4l-bounces@lists.daasi.de <mailto:fim4l-bounces@lists.daasi.de>> *On Behalf Of* Jiri Pavlik *Sent:* Sunday, March 14, 2021 15:28 *To:* Bernd Oberknapp <bo@ub.uni-freiburg.de <mailto:bo@ub.uni-freiburg.de>> *Cc:* fim4l@lists.daasi.de <mailto:fim4l@lists.daasi.de> *Subject:* Re: [Fim4l] LexisNexis Advance **** External email: use caution **** Hi Bernd, I see, eduPersonScopedAffiliation (required) eduPersonEntitlement (required) is working for Freiburg University and eduPersonScopedAffiliation (required) eduPersonEntitlement (required) eduPersonTargetedID (required) is not. The university students and staff are free to use personalisation at Lexis Nexis, Elsevier, EBSCO, ProQuest services if they want to so eduPersonScopedAffiliation (required) eduPersonEntitlement (required) eduPersonTargetedID (optional) is working for the University as well. Is it correct? All the best Jiri On Sat, Mar 13, 2021 at 2:40 PM Bernd Oberknapp <bo@ub.uni-freiburg.de <mailto:bo@ub.uni-freiburg.de>> wrote: Hi Jiri, On 13.03.21 09:15, Jiri Pavlik wrote: > When checking ProQuest SP for ProQuest Central in DFN-AAI metadata [1] > I can see both eduPersonEntitlement and eduPersonTargetedID as required > attributes. I assume you mean the SP https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth-sp.prod.proquest.com%2Fshibboleth&data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5BveoLe5HjYZjpKg0F3zOzj%2B8xMsYXs0ovWwPNYkaNU%3D&reserved=0
That's obviously wrong, both eduPersonScopedAffiliation and eduPersonEntitlement are supported for authorization, but as far as I can tell you don't have to use them, and eduPersonTargetedID isn't required. > Is it safe to assume that if there is personalisation capability at a > library service then all German universities, libraries are fine with > releasing eduPersonTargetedID for recognising returning users and > eduPersonEntitlement, eduPersonScopedAffiliation for authorisation? No. I can't speak for other IdPs, but in my opinion that approach would be wrong, users by default should be able to use services anonymously, without being recognized as a returning user. Based on what I can see in the admin tools, only a very small percentage of our users actually uses the personalization features, so releasing eduPersonTargetedID by default just for personalization isn't an option. If publishers would force us to send an eduPersonTargetedID just for personalization I would consider dropping Shibboleth for those publishers and using our EZproxy instead. Best regards, Bernd -- Bernd Oberknapp Gesamtleitung ReDI Albert-Ludwigs-Universität Freiburg Universitätsbibliothek Platz der Universität 2 | Postfach 1629 D-79098 Freiburg | D-79016 Freiburg Telefon: +49 761 203-3852 Telefax: +49 761 203-3987 E-Mail: bo@ub.uni-freiburg.de <mailto:bo@ub.uni-freiburg.de> Internet: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ub.uni-freiburg.de%2F&data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ElTwfCzuKdJ5%2B0dsn8LSj%2BI90awy9mnU12j9E%2FnerK8%3D&reserved=0
------------------------------------------------------------------------
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands. _______________________________________________ FIM4L mailing list FIM4L@lists.daasi.de https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.daasi.de%2Flistinfo%2Ffim4l&data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ms2%2Bi4n0iDo5880asMTNQCLaL%2BDI5wS8j%2B4nS%2FIIbj0%3D&reserved=0
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands.
FIM4L mailing list FIM4L@lists.daasi.de https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.daasi...
-- Bernd Oberknapp Gesamtleitung ReDI
Albert-Ludwigs-Universität Freiburg Universitätsbibliothek Platz der Universität 2 | Postfach 1629 D-79098 Freiburg | D-79016 Freiburg
Telefon: +49 761 203-3852 Telefax: +49 761 203-3987 E-Mail: bo@ub.uni-freiburg.de Internet: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ub.uni-...