[Fim4l] Reasonable lenght of SP's session

[Bernd Oberknapp]

On 26.02.20 13:28, Koren, Meshna (ELS-AMS) wrote:

> We know what the risk for Elsevier would have been if we allowed a user to be remembered, and clearly we'd need to be able to manage mass download. I was more wondering whether allowing the user to be remembered for an extended period of time would in some way be inconvenient to the IdPs/institutions. Would we be breaking some unwritten FIM rules by remembering a user for 3 month (this is just an arbitrary lenght)?

I don't think this would break unwritten rules, but this could cause 
problems. One issue could be that users only allowed to access the 
licensed content as walk-in-patrons could get access from everywhere by 
simply visiting the library every 3 months - another issue you would 
have to address in license contracts (not just new license contracts but 
all existing ones...). Another issue could be users affilitated with 
multiple institutions, they would need an option to "be forgotten" (or 
you would have to allow multiple simultaneous logins as SpringerLink 
does). I think such a remember me feature also could make things more 
complex for the library help desk. As already mentioned this would add 
usage from users no longer affiliated with the institution which might 
have unwanted effects.

>>From the IdP perspective that would mean that users that have signed in to IdP every day would then sign in every 3 month. It would also mean that a user that is disabled through IdP (because they leave the institution) can still access institutional subscriptions for another 3 month.
> 
> Does anyone keep track of that? Does anyone care? Is a daily control of usage expected/desired by anyone? Is there some other reason that we should keep a user signed in for 3 month?

We keep track of how many authentications occurs for SPs, but we don't 
use that information for any evaluations. Of course we are not allowed 
to keep track of how often individual users authenticate.

Note that the ScienceDirect SP currently is in the DFN-AAI Advanced 
which requires user information to be updated within two weeks. Some 
institutions that are not able to meet this requirement might question 
why Elsevier requires the Advanced level when users can access 
ScienceDirect for several months after leaving the institution via the 
remember me feature.

Best regards,
Bernd

-- 
Bernd Oberknapp
Gesamtleitung ReDI

Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg        | D-79016 Freiburg

Telefon:  +49 761 203-3852
Telefax:  +49 761 203-3987
E-Mail:   bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5627 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20200227/5309bb28/attachment.p7s>