[Fim4l] Fwd: InCites additional registration flow

[Davide Vaghetti]

Hi,

We've finally sent the mail and we'll let you of any follow up.

Thanks everyone for the contributes,
Davide & Jiri


-------- Forwarded Message --------
Subject: InCites additional registration flow
Date: Wed, 11 Nov 2020 15:25:54 +0100
From: Davide Vaghetti <davide.vaghetti at garr.it>
To: josef.jilek at clarivate.com, eniko.szasz at clarivate.com,
heidi.muller at clarivate.com, science.shibbolethsupport at clarivate.com
CC: Jiri Pavlik <jpavlik at cesnet.cz>

Dear Clarivate representatives,

prompted by some users in Italy, we have found that Clarivate's InCites
introduced a registration flow after a successful institutional login.
Users are compelled to register an email address and to set an
additional password in order to access to InCites.

This is breaking the trust model at the base of the federated
authentication and attributes releasing. The attributes needed to
provide access to the service should be listed in the metadata and not
requested in a separate flow that is unseen by the Home Organization
Identity Provider and the Identity Federation.

We kindly ask you to eliminate the registration flow and we suggest you
follow the below recommendations that have been developed by FIM4L
working group [1], which is composed by Librarians, Publishers and
Identity Specialists from the Research and Education Identity Federation
environment:

- Don't ask users to create a new account after they have been
authenticated by their institution. Link user institutional identity to
InCites user account.
- List all the required attributes in InCites SP metadata published to
eduGAIN (for example eduPersonScopedAffiliation, eduPersonEntitlement,
Pairwise Subject Identifier).
- Implement a Seamless Access [2] sign in button and WAYF.
- Declare compliance with the GÉANT Data Protection Code of Conduct [3]
in InCites SP metadata in eduGAIN.
- Declare compliance with the assertions of the REFEDS Sirtfi framework
[4] in InCites SP metadata in eduGAIN.

A great additional benefit in following FIM4L recommendations is that
you can leverage the SeamlessAccess.org free discovery service and
standardised sign in button developed in collaboration with NISO and
International Association of STM Publishers.


Kind regards,

Davide Vaghetti (IDEM GARR AAI) and Jiri Pavlik (eduID.cz) on behalf of
FIM4L


[1] https://www.fim4l.org/?page_id=257
[2] https://seamlessaccess.org/
[3] https://wiki.geant.org/display/eduGAIN/Recipe+for+a+Service+Provider
[4] https://refeds.org/sirtfi

-- 
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw