[Fim4l] Fwd: Clarifications About the SeamlessAccess.org Service

Jos Westerbeke jos.westerbeke at eur.nl
Mon Jan 27 10:14:37 CET 2020


Hi Heather,

Thank you for sharing this.

I just like to say that I appreciate the voice of this letter which shared the concerns of the SeamlessAccess committee of letting library patrons gain access as anonymous as possible.

If we are able to get this principle of ‘anonymous authentication’ work, I think it would be beneficial even far beyond the library community.

And yes, it should be possible/optional for the user to share more information for better UX, profiling, etc.

best,
Jos

Op 23-01-20 16:28 heeft FIM4L namens Heather Flanagan <fim4l-bounces at lists.daasi.de<mailto:fim4l-bounces at lists.daasi.de> namens hlf at sphericalcowconsulting.com<mailto:hlf at sphericalcowconsulting.com>> geschreven:

Hello FIM4L,

You might be interested in a letter I sent recently to Service Providers who are somewhere on the path to using the Advanced Integration model with SeamlessAccess.  Questions are always welcome!

-Heather

Begin forwarded message:

From: Heather Flanagan <heather at seamlessaccess.org<mailto:heather at seamlessaccess.org>>
Subject: Clarifications About the SeamlessAccess.org<http://SeamlessAccess.org> Service
Date: January 13, 2020 at 9:49:23 AM PST
To: Laura Paglione <laura at seamlessaccess.org<mailto:laura at seamlessaccess.org>>

Hello SeamlessAccess integrators, past, present, and future,

Following feedback before and during the Internet2 Technology Exchange<https://meetings.internet2.edu/2019-technology-exchange/>, the Seamless Access program is reviewing the permissible use of the stored Identity Provider (IdP) preference information when using some of the SeamlessAccess.org<http://seamlessaccess.org/> integration models (see our “Getting Started<https://seamlessaccess.org/get-started/>” page for more information about the different integration models).

What we realized is that in its current form, authorized Service Providers (SPs) using the advanced integration model<https://seamlessaccess.org/get-started/> may be able to access stored IdP choices before a user logs into that SP’s service. When a website authorized to use SeamlessAccess connects their Federated Identity Management (FIM) service, the website can see the user’s previous choice of IdP before any user authentication occurs. This design choice was originally made to enable full flexibility of the user interface for advanced integrators, for example, to display the preferred IdP in the interface. Further, integrators using the limited and standard integration models are unable to access stored IdP choices.

We now understand that the current situation has some privacy implications that take the service beyond what SeamlessAccess has been promising. For example, a SeamlessAccess-authorized SP could potentially collect information about exactly which IdPs are preferred by the user (which is often correlated to a person’s affiliation) without the user being aware. While the persisted choice of IdP is not considered personally identifiable information (see the WAYF Cloud and P3W Security & Privacy Recommendations<https://ra21.org/index.php/results/ra21-security-privacy-final-report/> from RA21 for more detail) the exposure of any information outside of what matches a more traditional authentication flow runs counter to the principles of SeamlessAccess.

The SeamlessAccess Governance Committee is currently evaluating several options to remediate this unintended possibility, including, but not limited to:

  *

  *   Changes
  *   to the advanced integration API which make it impossible to access the stored IdP choices while still allowing the UI customization and integration with local discovery services for which this model was originally intended.

  *
  *

  *   A
  *   UI mechanism to allow users to grant permission to SPs to access their stored IdP preference information.

  *
  *

  *   Clear
  *   prohibition in the Terms of Use of SeamlessAccess of utilization of stored preference information in any way that is not intended.

  *

In order to become an authorized SP for the advanced integration model using our production service, the SP has to follow a process that includes a review of their proposed integration with SeamlessAccess. The SeamlessAccess governance committee is currently working with appropriate legal counsel to develop a strong Terms of Service and Privacy Statements that will be part of authorizing any new SP. A link to the onboarding process and appropriate policies will be made available on the SeamlessAccess website as soon as they are complete.

As we have more information and documentation on how to integrate with SeamlessAccess, we will let you know.


Heather Flanagan, Program Director, SeamlessAccess.org<http://seamlessaccess.org/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20200127/433f38b7/attachment-0001.html>


More information about the FIM4L mailing list