
Just want to say I agree with Meshna that "This system is too complicated for users to be able to make informed decisions." About the matter at hand.


From: FIM4L <fim4l-bounces@lists.daasi.de> on behalf of Bernd Oberknapp <bo@ub.uni-freiburg.de>
Sent: 15 March 2021 18:03
To: fim4l@lists.daasi.de <fim4l@lists.daasi.de>
Subject: Re: [Fim4l] LexisNexis Advance
Hi Meshna,

this could be addressed in the way I've described - as a result there
only would be one category with an optional
pairwise-id/eduPersonTargetedID, and the user would have the choice.

Note that enforcing the release of a pairwise-id/eduPersonTargetedID
that actually isn't required for a service is problematic - if a users
would object to releasing this attribute this would get the IdP operator
or library into trouble. Giving the user the choice solves this problem.

Best regards,

On 15.03.21 17:35, Koren, Meshna (ELS-AMS) wrote:
 > Hi Jos,
 > Please also look into the REFEDS entity categories and the recent work
 > there. If your recommendations to librarians propose some new concepts
 > or terminology (transitory access), or parallel decision making, that's
 > going to cause a lot of confusion.
 > We're trying to build a system where the attribute release is automated
 > while at the same time appropriate. If an SP requests pseudonymous
 > entity category but the librarian makes a different decision, what
 > happens then? The system breaks, the user has bad experience, people
 > spend time troubleshooting and fixing.
 > I understand it may be difficult for some people to take my word for it,
 > but we, too, take the user privacy seriously. And libraries should be
 > guarding user data, by all means, they just need to be informed
 > Thanks,
 > Meshna
 > *From:* Heather Flanagan <hlf@sphericalcowconsulting.com>
 > *Sent:* Monday, March 15, 2021 16:26
 > *To:* Jiri Pavlik <jiri.pavlik@techlib.cz>; Koren, Meshna (ELS-AMS)
 > <M.Koren@elsevier.com>; Jos Westerbeke <jos.westerbeke@eur.nl>
 > *Cc:* fim4l@lists.daasi.de
 > *Subject:* Re: [Fim4l] LexisNexis Advance
 > **** External email: use caution ****
 > I know it does not help matters, but I need to point out that
 > eduPersonTargetedID is actually deprecated due to security concerns.
 > Instead, organizations are encouraged to use the SAML attribute,
 > subject-id

 > Heather Flanagan — Translator of Geek to Human
 > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsphericalcowconsulting.com%2F&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980848987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=QlxS24UPnoJy259FMz0KT%2BEgwpHMB8fWKV7Dd9xJCXQ%3D&amp;reserved=0
 > On Mar 15, 2021, 8:18 AM -0700, Jos Westerbeke <jos.westerbeke@eur.nl>,
 > wrote:
 >     Hi Jiri, Bernd et al,
 >     thank you for this discussion. This is very meaningful for
 >     downplaying the FIM4L recommendations 4.A and 4.B to a more simple
 >     level.
 >     We now have two recommendations which you have to (unfortunately)
 >     choose:
 >     4.A. Transitory Access - eduPersonTargetedID as optional would be
 >     fine for this.
 >     4.B. Personalized Access - eduPersonTargetedID required.
 >     - And for 4.B the recommendation is to let it be for the SP side to
 >     offer a profile, voluntarily to configure by users. So that in any
 >     way IdP's do not have to release PII.
 >     (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fim4l.org%2F%3Fpage_id%3D257&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980848987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=4kH%2FirgOHDYzhkrHRoi0Ao1Hfs8aL85UtzyG4%2F1J2F0%3D&amp;reserved=0)
 >     What would we actually recommend for librarians? Wouldn't it be nice
 >     to have just one option? I think it is too difficult for librarians
 >     to choose here.
 >     Reading the discussion, we can say that we cannot recommend going
 >     just for 4.B. And if librarians consider switching form IP to SAML
 >     they are very suspicious about privacy.
 >     Can we recommend for both IdP's and SP's to go for 4.A?
 >     What about recommending 4.A and have the option for 4.B when there
 >     is an agreement between IdP and SP about creating profiles, anchored
 >     in a contract?
 >     Should we recommend a contract clausula alongside 4.B?
 >     As far as I understand, I'm aware of what Meshna says: If you opt
 >     for 4.A then it is simply not possible to have a profile, which is
 >     very annoying if not impossible for our patrons.
 >     Best,
 >     Jos
 >     *From:*FIM4L <fim4l-bounces@lists.daasi.de> on behalf of Jiri Pavlik
 >     <jiri.pavlik@techlib.cz>
 >     *Sent:* 15 March 2021 14:58
 >     *To:* Koren, Meshna (ELS-AMS) <M.Koren@elsevier.com>
 >     *Cc:* fim4l@lists.daasi.de <fim4l@lists.daasi.de>
 >     *Subject:* Re: [Fim4l] LexisNexis Advance
 >     Hi Meshna,
 >     thanks a lot for the comments.
 >     At Elsevier SP metadata [1] I can see:
 >       eduPersonEntitlement (required)
 >       eduPersonTargetedID (optional)
 >     in DFN-AAI, IDEM or Australian Access Federation.
 >     At the SP metadata in eduGAIN / UK Federation there are no requested
 >     attributes.
 >     At the SP metadata in eduID.at, SWITCHaai, InCommon, RENATER I
can see:
 >         eduPersonEntitlement (required)
 >         eduPersonTargetedID (required)
 >     It illustrates different approaches around the world how to express
 >     optional ePTID release
 >     in SP metadata and a challenge for one appropriate SP metadata in
 >     eduGAIN serving globally.
 >     To me
 >          eduPersonEntitlement (required)
 >          eduPersonTargetedID (optional)
 >     seems as the most appropriate.
 >     Cheers
 >                        Jiri
 >     1.
 >     On Mon, Mar 15, 2021 at 12:01 PM Koren, Meshna (ELS-AMS)
 >     <M.Koren@elsevier.com <mailto:M.Koren@elsevier.com>> wrote:
 >         Please allow me to add something to this discussion.
 >         "The university students and staff are free to use
 >         personalisation at Lexis Nexis,
 >         Elsevier, EBSCO, ProQuest services if they want to so
 >            eduPersonScopedAffiliation (required)
 >            eduPersonEntitlement  (required)
 >            eduPersonTargetedID (optional)..."
 >         The students and staff can only use personalization when the IdP
 >         releases ePTID (or pairwiseID), otherwise they can't. I am not
 >         sure that this is clear from the metadata nor that the labels we
 >         use to describe the required attributes are very clear on what
 >         'optional' means.
 >         For example, when a student accesses ScienceDirect they can read
 >         subscribed articles whether or not ePTID has been released for
 >         them, but if they want to 'create account' because they would
 >         like to save searches, alerts or their search history, they can
 >         only do that if the IdP has released a persistent identifier for
 >         them. Otherwise they can't, because there's nothing in their
 >         SAML assertions that allows us to recognize the returning
 >         individual. So we are working towards requiring a persistent ID.
 >         The personalization remains optional for the user.
 >         That may not be the same for other SPs, but it is valid for
 >         Elsevier.
 >         Kind regards,
 >         Meshna
 >         **
 >         *Meshna Koren*
 >         /Product Manager II/
 >         */Product Management - Identity and Access/**/-/**/Research
 >         Products/*
 >         *//*
 >         */Elsevier BV/*
 >         /Radarweg 29, Amsterdam 1043 NX, The Netherlands/
 >         /m.koren@elsevier.com <mailto:m.koren@elsevier.com>/
 >         //
 >         /Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens,
 >         Institutional Login/
 >         //
 >         /Elsevier Access Support Center:
 >         /for your questions about which access methods does Elsevier
 >         support, how to set them up, how do they work for users.../
 >         //
 >         *From:* FIM4L <fim4l-bounces@lists.daasi.de
 >         <mailto:fim4l-bounces@lists.daasi.de>> *On Behalf Of* Jiri Pavlik
 >         *Sent:* Sunday, March 14, 2021 15:28
 >         *To:* Bernd Oberknapp <bo@ub.uni-freiburg.de
 >         <mailto:bo@ub.uni-freiburg.de>>
 >         *Cc:* fim4l@lists.daasi.de <mailto:fim4l@lists.daasi.de>
 >         *Subject:* Re: [Fim4l] LexisNexis Advance
 >         **** External email: use caution ****
 >         Hi Bernd,
 >         I see,
 >            eduPersonScopedAffiliation (required)
 >            eduPersonEntitlement  (required)
 >         is working for Freiburg University and
 >            eduPersonScopedAffiliation (required)
 >            eduPersonEntitlement  (required)
 >            eduPersonTargetedID (required)
 >         is not.
 >         The university students and staff are free to use
 >         personalisation at Lexis Nexis,
 >         Elsevier, EBSCO, ProQuest services if they want to so
 >            eduPersonScopedAffiliation (required)
 >            eduPersonEntitlement  (required)
 >            eduPersonTargetedID (optional)
 >         is working for the University as well.
 >         Is it correct?
 >         All the best
 >                    Jiri
 >                 On Sat, Mar 13, 2021 at 2:40 PM Bernd Oberknapp
 >                 <bo@ub.uni-freiburg.de <mailto:bo@ub.uni-freiburg.de>>
 >                 wrote:
 >                     Hi Jiri,
 >                     On 13.03.21 09:15, Jiri Pavlik wrote:
 >                       > When checking ProQuest SP for ProQuest Central
 >                     in DFN-AAI metadata [1]
 >                       > I can see both eduPersonEntitlement and
 >                     eduPersonTargetedID as required
 >                       > attributes.
 >                     I assume you mean the SP
 >                     https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth-sp.prod.proquest.com%2Fshibboleth&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=5BveoLe5HjYZjpKg0F3zOzj%2B8xMsYXs0ovWwPNYkaNU%3D&amp;reserved=0
 >                     That's obviously
 >                     wrong, both eduPersonScopedAffiliation and
 >                     eduPersonEntitlement are
 >                     supported for authorization, but as far as I can
 >                     tell you don't have to
 >                     use them, and eduPersonTargetedID isn't required.
 >                       > Is it safe to assume that if there is
 >                     personalisation capability at a
 >                       > library service then all German universities,
 >                     libraries are fine with
 >                       > releasing eduPersonTargetedID for recognising
 >                     returning users and
 >                       > eduPersonEntitlement, eduPersonScopedAffiliation
 >                     for authorisation?
 >                     No. I can't speak for other IdPs, but in my opinion
 >                     that approach would
 >                     be wrong, users by default should be able to use
 >                     services anonymously,
 >                     without being recognized as a returning user. Based
 >                     on what I can see in
 >                     the admin tools, only a very small percentage of our
 >                     users actually uses
 >                     the personalization features, so releasing
 >                     eduPersonTargetedID by
 >                     default just for personalization isn't an option. If
 >                     publishers would
 >                     force us to send an eduPersonTargetedID just for
 >                     personalization I would
 >                     consider dropping Shibboleth for those publishers
 >                     and using our EZproxy
 >                     instead.
 >                     Best regards,
 >                     Bernd
 >                     --
 >                     Bernd Oberknapp
 >                     Gesamtleitung ReDI
 >                     Albert-Ludwigs-Universität Freiburg
 >                     Universitätsbibliothek
 >                     Platz der Universität 2 | Postfach 1629
 >                     D-79098 Freiburg        | D-79016 Freiburg
 >                     Telefon:  +49 761 203-3852
 >                     Telefax:  +49 761 203-3987
 >                     E-Mail: bo@ub.uni-freiburg.de
 >                     <mailto:bo@ub.uni-freiburg.de>
 >                     Internet: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ub.uni-freiburg.de%2F&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ElTwfCzuKdJ5%2B0dsn8LSj%2BI90awy9mnU12j9E%2FnerK8%3D&amp;reserved=0
 >         Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam,
 >         The Netherlands, Registration No. 33158992, Registered in The
 >         Netherlands.
 >     _______________________________________________
 >     FIM4L mailing list
 >     FIM4L@lists.daasi.de
 >     https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.daasi.de%2Flistinfo%2Ffim4l&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=Ms2%2Bi4n0iDo5880asMTNQCLaL%2BDI5wS8j%2B4nS%2FIIbj0%3D&amp;reserved=0
 > ------------------------------------------------------------------------
 > Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The
 > Netherlands, Registration No. 33158992, Registered in The Netherlands.
 > _______________________________________________
 > FIM4L mailing list
 > FIM4L@lists.daasi.de
 > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.daasi.de%2Flistinfo%2Ffim4l&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=Ms2%2Bi4n0iDo5880asMTNQCLaL%2BDI5wS8j%2B4nS%2FIIbj0%3D&amp;reserved=0

Bernd Oberknapp
Gesamtleitung ReDI

Albert-Ludwigs-Universität Freiburg
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg        | D-79016 Freiburg

Telefon:  +49 761 203-3852
Telefax:  +49 761 203-3987
E-Mail:   bo@ub.uni-freiburg.de
Internet: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ub.uni-freiburg.de%2F&amp;data=04%7C01%7Cjos.westerbeke%40eur.nl%7Cc0436c14482a495fd19f08d8e7d796a8%7C715902d6f63e4b8d929b4bb170bad492%7C0%7C0%7C637514260980858981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ElTwfCzuKdJ5%2B0dsn8LSj%2BI90awy9mnU12j9E%2FnerK8%3D&amp;reserved=0