[Fim4l] FW: [lis-e-resources] IP authentication - to switch off or not to switch off

Peter Gietz peter.gietz at daasi.de
Fri Mar 29 17:01:36 CET 2019 


Am 27.03.2019 um 16:37 schrieb Raoul Teeuwen:
>
> I guess the below post is interesting for people on this list as well.
>
Very much so. Thanks for posting.
Cheers,
Peter

> Kindest regards,
>
> Raoul
>
> On 27/03/2019, 10:57, "outreach at ra21.simplelists.com 
> <mailto:outreach at ra21.simplelists.com> on behalf of Julia Wallace" 
> <outreach at ra21.simplelists.com <mailto:outreach at ra21.simplelists.com> 
> on behalf of julia at RA21.org <mailto:julia at RA21.org>> wrote:
>
> Hi everyone
>
> Some interesting insights here (assumed mainly / exclusively UK).
>
> Regards, Julia
>
> *From:*An informal open list set up by UKSG - Connecting the 
> Information Community [mailto:LIS-E-RESOURCES at JISCMAIL.AC.UK] *On 
> Behalf Of *Barwick, Marie
> *Sent:* Wednesday, March 27, 2019 9:29 AM
> *To:* LIS-E-RESOURCES at JISCMAIL.AC.UK
> *Subject:* [lis-e-resources] IP authentication - to switch off or not 
> to switch off
>
> Dear all,
>
> **
>
> *Q. “Some years ago we switched off IP access on campus in favour of 
> relying on shibboleth authentication and our proxy server from on and 
> off campus. There is some resistance to this now with some users 
> advising that we are the only University that have done this so I 
> would be very interested to find out if any others have also switched 
> off IP authentication, and any feedback that they have received 
> following this”?*
>
> Many thanks for all of your comments that I received in respect of 
> this questions. Out of 12 institutions that responded, 5 of you did 
> have IP authentication switched on from on-campus but 5 of you 
> (including Warwick) didn’t and a further 2 are in the process of 
> moving away from it. There were also responses from some institutions 
> who did offer IP authentication but were interested in moving away 
> from this.
>
> It has been very useful for us to learn about the different 
> experiences and approaches to authentication and has given us a better 
> view of the landscape of this challenging issue.
>
> As promised, here is a summary of the comments which have been anonymised.
>
> ********************************************************************************************************************************************************************************************
>
> “I’m considering switching off IP access at XXXXXXXXXXXXXX and using 
> OCLC’s hosted EZproxy as the recommended access route and Shibboleth 
> as a back-up option.
>
> Drivers include a more consistent user experience on and off-campus, 
> better security, and another is that I’m involved in a pilot with OCLC 
> for a new analytics service they’re developing for EZproxy. Currently 
> the tool would only provide a snapshot of usage whereas I think the 
> stats would be more useful if they included all”
>
> “We have received similar feedback around complexities of shibboleth 
> authentication for students and academics when working off-campus.
>
> I personally don’t think this is specifically an issue with shibboleth 
> or IP based authentication, but more the varied approach to 
> implementation of sign-in links on different platforms. But this is 
> also compounded by a sharp rise in expectations over the last few 
> years where authentication in the consumer market (Amazon, Google, 
> Twitter etc.) has vastly improved and reduced the need to remember a 
> number of passwords and authentication routes/clicks.
>
> What this means for us and our students is that they see the 100 or so 
> content platforms subscribed to by an institution as essentially the 
> same thing in terms of how routes to access should work (as this is 
> their experience elsewhere), they are provided by a single institution 
> so why wouldn’t access simply work exactly the same across all of them 
> – especially when on-campus SSO is standard.
>
> For the record, we currently have a mixed economy of IP and Shibboleth 
> (preferring wayfless shibb routes wherever possible) but are also 
> likely to be implementing EZ Proxy soon to help reduce some of the 
> friction for off campus access”
>
> “Lack of IP authentication has also been raised as an issue by 
> academic colleagues at XXXXXXXXX. Like others we favour Shibboleth but 
> also use EZproxy. We have a restricted profile that we use for Walk-In 
> users. As well as providing a Consistent experience (although this is 
> vulnerable to the challenge that it is consistently difficult compared 
> with IP authentication) it also allows us to provide access to our 
> network to folk who are not, in strict licensing terms, members of the 
> University (something academic colleagues have also requested)”
>
> “We always favour Shibboleth authentication using WAYFless url’s when 
> possible and have done this for a number of years. For resources that 
> only support IP we use a proxy server.   Our reasoning being that it 
> is easier for the students if the logging in experience is the same 
> both on and off campus (rather than relying on IP when on campus and 
> then having to login when off campus). Recently we have migrated to 
> single sign-on so thinking about it, this probably isn’t the case 
> anymore, with access being seamless in a lot of cases from on campus 
> but requiring a login from off”
>
> “We use PingFederate (SAML) and EZproxy on campus. IP is no longer an 
> option because we have a web filter in operation which obscures our IP 
> range. The latter set up has caused some issues because we have found 
> that, if we go direct to a site, we are sometimes recognised as 
> another organisation using the same web filter. They have presumably 
> provided the eresource supplier with the shared web filter IP range”
>
> “Same here. We use a range of authentication but obviously Shibboleth 
> is more secure than IP and we are trying to move that way. It’s hard 
> to do it with everything though so would be really interested to hear 
> others experiences”
>
> “We do not do this – we have access via a mixture of Shibboleth, IP 
> and EZproxy – but I would be very interested to hear the responses to 
> this thread, if you were able to collate and share with the group”
>
> “Here at XXXXXXXXX we don’t IP authenticate to any resources, 
> preferring to use Shib or EZProxy. Both of these methods work pretty 
> seamlessly for us and to my knowledge we’ve not had any complaints 
> about not using IP. Given the increasing occurrence of 
> reported/detected eResource misuse (whether intentional or deliberate) 
> I’d prefer we have definite user accountability to be able to deal 
> with such instances when they occur. (It not that this is prolific, 
> but we get maybe one every month or so that we need to investigate)”
>
> “We are in the process of doing the same,  wherever possible, we don’t 
> have a proxy server so some, although not much IP recognition will 
> remain.  We are linking WAYFlessly where we can and are discovering, 
> in the process, that WAYFless linking via the Alma link resolver is 
> not quite as developed as the literature would indicate, including for 
> some fairly big suppliers such as Emerald and JSTOR”
>
> “I would not choose to do so although I can see the benefit it might 
> bring in monitoring usage by department and so on. We have integrated 
> Shibboleth into our single sign-on system including EZproxy. However, 
> we know that more than half the users access content via internet 
> search engines. Many users do not know about Shibboleth, even if they 
> are shown it as an access option at the beginning of their studies / 
> during information literacy sessions. The lack of uniformity in the 
> signing on process is another concern. Also some publishers still do 
> not offer federated access. It is useful to offer redundancy in access 
> including via anonymous IP authentication or a VPN client without the 
> need for extra clicks. Otherwise overall usage is impacted adversely”
>
> “I’d be very interested to see what other institutions do. We’re also 
> on IP, EZproxy and Shibboleth at the moment. Would Shibboleth-only 
> authentication present problems for walk-in users for instance?”
>
> Best wishes,
>
> Marie
>
> *Marie Barwick  | Resources Manager (Serials e-Resources and Digital 
> Access) *
>
> Resource Acquisitions and Digital  Access  |  Library | University of 
> Warwick <http://www2.warwick.ac.uk/>
> m.s.barwick at warwick.ac.uk <mailto:m.s.barwick at warwick.ac.uk>  | 
> External: 02476 573011 |  Internal:73011
>
> The Library  | University of Warwick | Coventry  |  CV4 7AL  | Find us 
> on the interactive map 
> <http://www2.warwick.ac.uk/about/visiting/maps/interactive/>
>
> lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also 
> available on Facebook and LinkedIn Follow us on Twitter: 
> https://twitter.com/UKSG
>
> To unsubscribe from this list please go to 
> http://www.simplelists.com/confirm.php?u=5BIgC6Wynh2gSnqJeLuIcsPlyXSwYNLx
>
>
>
> _______________________________________________
> FIM4L mailing list
> FIM4L at lists.daasi.de
> http://lists.daasi.de/listinfo/fim4l

-- 

Peter Gietz, CEO

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax:   +49 7071 407109-9
email: peter.gietz at daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20190329/86b77e6b/attachment.html>

More information about the FIM4L mailing list