FW: [lis-e-resources] IP authentication - to switch off or not to switch off
I guess the below post is interesting for people on this list as well. Kindest regards,
Raoul On 27/03/2019, 10:57, "outreach@ra21.simplelists.commailto:outreach@ra21.simplelists.com on behalf of Julia Wallace" <outreach@ra21.simplelists.commailto:outreach@ra21.simplelists.com on behalf of julia@RA21.orgmailto:julia@RA21.org> wrote:
Hi everyone
Some interesting insights here (assumed mainly / exclusively UK).
Regards, Julia
From: An informal open list set up by UKSG - Connecting the Information Community [mailto:LIS-E-RESOURCES@JISCMAIL.AC.UK] On Behalf Of Barwick, Marie Sent: Wednesday, March 27, 2019 9:29 AM To: LIS-E-RESOURCES@JISCMAIL.AC.UK Subject: [lis-e-resources] IP authentication - to switch off or not to switch off
Dear all,
Q. “Some years ago we switched off IP access on campus in favour of relying on shibboleth authentication and our proxy server from on and off campus. There is some resistance to this now with some users advising that we are the only University that have done this so I would be very interested to find out if any others have also switched off IP authentication, and any feedback that they have received following this”?
Many thanks for all of your comments that I received in respect of this questions. Out of 12 institutions that responded, 5 of you did have IP authentication switched on from on-campus but 5 of you (including Warwick) didn’t and a further 2 are in the process of moving away from it. There were also responses from some institutions who did offer IP authentication but were interested in moving away from this.
It has been very useful for us to learn about the different experiences and approaches to authentication and has given us a better view of the landscape of this challenging issue.
As promised, here is a summary of the comments which have been anonymised.
********************************************************************************************************************************************************************************************
“I’m considering switching off IP access at XXXXXXXXXXXXXX and using OCLC’s hosted EZproxy as the recommended access route and Shibboleth as a back-up option. Drivers include a more consistent user experience on and off-campus, better security, and another is that I’m involved in a pilot with OCLC for a new analytics service they’re developing for EZproxy. Currently the tool would only provide a snapshot of usage whereas I think the stats would be more useful if they included all”
“We have received similar feedback around complexities of shibboleth authentication for students and academics when working off-campus. I personally don’t think this is specifically an issue with shibboleth or IP based authentication, but more the varied approach to implementation of sign-in links on different platforms. But this is also compounded by a sharp rise in expectations over the last few years where authentication in the consumer market (Amazon, Google, Twitter etc.) has vastly improved and reduced the need to remember a number of passwords and authentication routes/clicks. What this means for us and our students is that they see the 100 or so content platforms subscribed to by an institution as essentially the same thing in terms of how routes to access should work (as this is their experience elsewhere), they are provided by a single institution so why wouldn’t access simply work exactly the same across all of them – especially when on-campus SSO is standard. For the record, we currently have a mixed economy of IP and Shibboleth (preferring wayfless shibb routes wherever possible) but are also likely to be implementing EZ Proxy soon to help reduce some of the friction for off campus access”
“Lack of IP authentication has also been raised as an issue by academic colleagues at XXXXXXXXX. Like others we favour Shibboleth but also use EZproxy. We have a restricted profile that we use for Walk-In users. As well as providing a Consistent experience (although this is vulnerable to the challenge that it is consistently difficult compared with IP authentication) it also allows us to provide access to our network to folk who are not, in strict licensing terms, members of the University (something academic colleagues have also requested)” “We always favour Shibboleth authentication using WAYFless url’s when possible and have done this for a number of years. For resources that only support IP we use a proxy server. Our reasoning being that it is easier for the students if the logging in experience is the same both on and off campus (rather than relying on IP when on campus and then having to login when off campus). Recently we have migrated to single sign-on so thinking about it, this probably isn’t the case anymore, with access being seamless in a lot of cases from on campus but requiring a login from off”
“We use PingFederate (SAML) and EZproxy on campus. IP is no longer an option because we have a web filter in operation which obscures our IP range. The latter set up has caused some issues because we have found that, if we go direct to a site, we are sometimes recognised as another organisation using the same web filter. They have presumably provided the eresource supplier with the shared web filter IP range”
“Same here. We use a range of authentication but obviously Shibboleth is more secure than IP and we are trying to move that way. It’s hard to do it with everything though so would be really interested to hear others experiences”
“We do not do this – we have access via a mixture of Shibboleth, IP and EZproxy – but I would be very interested to hear the responses to this thread, if you were able to collate and share with the group”
“Here at XXXXXXXXX we don’t IP authenticate to any resources, preferring to use Shib or EZProxy. Both of these methods work pretty seamlessly for us and to my knowledge we’ve not had any complaints about not using IP. Given the increasing occurrence of reported/detected eResource misuse (whether intentional or deliberate) I’d prefer we have definite user accountability to be able to deal with such instances when they occur. (It not that this is prolific, but we get maybe one every month or so that we need to investigate)”
“We are in the process of doing the same, wherever possible, we don’t have a proxy server so some, although not much IP recognition will remain. We are linking WAYFlessly where we can and are discovering, in the process, that WAYFless linking via the Alma link resolver is not quite as developed as the literature would indicate, including for some fairly big suppliers such as Emerald and JSTOR”
“I would not choose to do so although I can see the benefit it might bring in monitoring usage by department and so on. We have integrated Shibboleth into our single sign-on system including EZproxy. However, we know that more than half the users access content via internet search engines. Many users do not know about Shibboleth, even if they are shown it as an access option at the beginning of their studies / during information literacy sessions. The lack of uniformity in the signing on process is another concern. Also some publishers still do not offer federated access. It is useful to offer redundancy in access including via anonymous IP authentication or a VPN client without the need for extra clicks. Otherwise overall usage is impacted adversely”
“I’d be very interested to see what other institutions do. We’re also on IP, EZproxy and Shibboleth at the moment. Would Shibboleth-only authentication present problems for walk-in users for instance?”
Best wishes,
Marie
Marie Barwick | Resources Manager (Serials e-Resources and Digital Access) Resource Acquisitions and Digital Access | Library | University of Warwickhttp://www2.warwick.ac.uk/ m.s.barwick@warwick.ac.ukmailto:m.s.barwick@warwick.ac.uk | External: 02476 573011 | Internal:73011 The Library | University of Warwick | Coventry | CV4 7AL | Find us on the interactive maphttp://www2.warwick.ac.uk/about/visiting/maps/interactive/
lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG
To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=5BIgC6Wynh2gSnqJeLuIcsPlyXSwYNLx
Am 27.03.2019 um 16:37 schrieb Raoul Teeuwen:
I guess the below post is interesting for people on this list as well.
Very much so. Thanks for posting. Cheers, Peter
Kindest regards,
Raoul
On 27/03/2019, 10:57, "outreach@ra21.simplelists.com mailto:outreach@ra21.simplelists.com on behalf of Julia Wallace" <outreach@ra21.simplelists.com mailto:outreach@ra21.simplelists.com on behalf of julia@RA21.org mailto:julia@RA21.org> wrote:
Hi everyone
Some interesting insights here (assumed mainly / exclusively UK).
Regards, Julia
*From:*An informal open list set up by UKSG - Connecting the Information Community [mailto:LIS-E-RESOURCES@JISCMAIL.AC.UK] *On Behalf Of *Barwick, Marie *Sent:* Wednesday, March 27, 2019 9:29 AM *To:* LIS-E-RESOURCES@JISCMAIL.AC.UK *Subject:* [lis-e-resources] IP authentication - to switch off or not to switch off
Dear all,
**
*Q. “Some years ago we switched off IP access on campus in favour of relying on shibboleth authentication and our proxy server from on and off campus. There is some resistance to this now with some users advising that we are the only University that have done this so I would be very interested to find out if any others have also switched off IP authentication, and any feedback that they have received following this”?*
Many thanks for all of your comments that I received in respect of this questions. Out of 12 institutions that responded, 5 of you did have IP authentication switched on from on-campus but 5 of you (including Warwick) didn’t and a further 2 are in the process of moving away from it. There were also responses from some institutions who did offer IP authentication but were interested in moving away from this.
It has been very useful for us to learn about the different experiences and approaches to authentication and has given us a better view of the landscape of this challenging issue.
As promised, here is a summary of the comments which have been anonymised.
“I’m considering switching off IP access at XXXXXXXXXXXXXX and using OCLC’s hosted EZproxy as the recommended access route and Shibboleth as a back-up option.
Drivers include a more consistent user experience on and off-campus, better security, and another is that I’m involved in a pilot with OCLC for a new analytics service they’re developing for EZproxy. Currently the tool would only provide a snapshot of usage whereas I think the stats would be more useful if they included all”
“We have received similar feedback around complexities of shibboleth authentication for students and academics when working off-campus.
I personally don’t think this is specifically an issue with shibboleth or IP based authentication, but more the varied approach to implementation of sign-in links on different platforms. But this is also compounded by a sharp rise in expectations over the last few years where authentication in the consumer market (Amazon, Google, Twitter etc.) has vastly improved and reduced the need to remember a number of passwords and authentication routes/clicks.
What this means for us and our students is that they see the 100 or so content platforms subscribed to by an institution as essentially the same thing in terms of how routes to access should work (as this is their experience elsewhere), they are provided by a single institution so why wouldn’t access simply work exactly the same across all of them – especially when on-campus SSO is standard.
For the record, we currently have a mixed economy of IP and Shibboleth (preferring wayfless shibb routes wherever possible) but are also likely to be implementing EZ Proxy soon to help reduce some of the friction for off campus access”
“Lack of IP authentication has also been raised as an issue by academic colleagues at XXXXXXXXX. Like others we favour Shibboleth but also use EZproxy. We have a restricted profile that we use for Walk-In users. As well as providing a Consistent experience (although this is vulnerable to the challenge that it is consistently difficult compared with IP authentication) it also allows us to provide access to our network to folk who are not, in strict licensing terms, members of the University (something academic colleagues have also requested)”
“We always favour Shibboleth authentication using WAYFless url’s when possible and have done this for a number of years. For resources that only support IP we use a proxy server. Our reasoning being that it is easier for the students if the logging in experience is the same both on and off campus (rather than relying on IP when on campus and then having to login when off campus). Recently we have migrated to single sign-on so thinking about it, this probably isn’t the case anymore, with access being seamless in a lot of cases from on campus but requiring a login from off”
“We use PingFederate (SAML) and EZproxy on campus. IP is no longer an option because we have a web filter in operation which obscures our IP range. The latter set up has caused some issues because we have found that, if we go direct to a site, we are sometimes recognised as another organisation using the same web filter. They have presumably provided the eresource supplier with the shared web filter IP range”
“Same here. We use a range of authentication but obviously Shibboleth is more secure than IP and we are trying to move that way. It’s hard to do it with everything though so would be really interested to hear others experiences”
“We do not do this – we have access via a mixture of Shibboleth, IP and EZproxy – but I would be very interested to hear the responses to this thread, if you were able to collate and share with the group”
“Here at XXXXXXXXX we don’t IP authenticate to any resources, preferring to use Shib or EZProxy. Both of these methods work pretty seamlessly for us and to my knowledge we’ve not had any complaints about not using IP. Given the increasing occurrence of reported/detected eResource misuse (whether intentional or deliberate) I’d prefer we have definite user accountability to be able to deal with such instances when they occur. (It not that this is prolific, but we get maybe one every month or so that we need to investigate)”
“We are in the process of doing the same, wherever possible, we don’t have a proxy server so some, although not much IP recognition will remain. We are linking WAYFlessly where we can and are discovering, in the process, that WAYFless linking via the Alma link resolver is not quite as developed as the literature would indicate, including for some fairly big suppliers such as Emerald and JSTOR”
“I would not choose to do so although I can see the benefit it might bring in monitoring usage by department and so on. We have integrated Shibboleth into our single sign-on system including EZproxy. However, we know that more than half the users access content via internet search engines. Many users do not know about Shibboleth, even if they are shown it as an access option at the beginning of their studies / during information literacy sessions. The lack of uniformity in the signing on process is another concern. Also some publishers still do not offer federated access. It is useful to offer redundancy in access including via anonymous IP authentication or a VPN client without the need for extra clicks. Otherwise overall usage is impacted adversely”
“I’d be very interested to see what other institutions do. We’re also on IP, EZproxy and Shibboleth at the moment. Would Shibboleth-only authentication present problems for walk-in users for instance?”
Best wishes,
Marie
*Marie Barwick | Resources Manager (Serials e-Resources and Digital Access) *
Resource Acquisitions and Digital Access | Library | University of Warwick http://www2.warwick.ac.uk/ m.s.barwick@warwick.ac.uk mailto:m.s.barwick@warwick.ac.uk | External: 02476 573011 | Internal:73011
The Library | University of Warwick | Coventry | CV4 7AL | Find us on the interactive map http://www2.warwick.ac.uk/about/visiting/maps/interactive/
lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG
To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=5BIgC6Wynh2gSnqJeLuIcsPlyXSwYNLx
FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l
Teilnehmer (2)
-
Peter Gietz -
Raoul Teeuwen