Hi,

We've finally sent the mail and we'll let you of any follow up.

Thanks everyone for the contributes, Davide & Jiri

-------- Forwarded Message -------- Subject: InCites additional registration flow Date: Wed, 11 Nov 2020 15:25:54 +0100 From: Davide Vaghetti davide.vaghetti@garr.it To: josef.jilek@clarivate.com, eniko.szasz@clarivate.com, heidi.muller@clarivate.com, science.shibbolethsupport@clarivate.com CC: Jiri Pavlik jpavlik@cesnet.cz

Dear Clarivate representatives,

prompted by some users in Italy, we have found that Clarivate's InCites introduced a registration flow after a successful institutional login. Users are compelled to register an email address and to set an additional password in order to access to InCites.

This is breaking the trust model at the base of the federated authentication and attributes releasing. The attributes needed to provide access to the service should be listed in the metadata and not requested in a separate flow that is unseen by the Home Organization Identity Provider and the Identity Federation.

We kindly ask you to eliminate the registration flow and we suggest you follow the below recommendations that have been developed by FIM4L working group [1], which is composed by Librarians, Publishers and Identity Specialists from the Research and Education Identity Federation environment:

- Don't ask users to create a new account after they have been authenticated by their institution. Link user institutional identity to InCites user account. - List all the required attributes in InCites SP metadata published to eduGAIN (for example eduPersonScopedAffiliation, eduPersonEntitlement, Pairwise Subject Identifier). - Implement a Seamless Access [2] sign in button and WAYF. - Declare compliance with the GÉANT Data Protection Code of Conduct [3] in InCites SP metadata in eduGAIN. - Declare compliance with the assertions of the REFEDS Sirtfi framework [4] in InCites SP metadata in eduGAIN.

A great additional benefit in following FIM4L recommendations is that you can leverage the SeamlessAccess.org free discovery service and standardised sign in button developed in collaboration with NISO and International Association of STM Publishers.

Kind regards,

Davide Vaghetti (IDEM GARR AAI) and Jiri Pavlik (eduID.cz) on behalf of FIM4L

[1] https://www.fim4l.org/?page_id=257 [2] https://seamlessaccess.org/ [3] https://wiki.geant.org/display/eduGAIN/Recipe+for+a+Service+Provider [4] https://refeds.org/sirtfi