Griffey and Withers "Seamless Access Update: What’s happening in the world of authentication to resources?"

BaltimoreNISO 105 views 55 slides Jul 12, 2024

Slide 1 of 55

About This Presentation

This presentation was provided by Jason Griffey of NISO and Justine Withers of Western New Mexico University to inform participants about the progress made with the Seamless Access Initiative, during the ALA Annual Conference. The session was held July 1, 2024.

Size: 3.13 MB

Language: en

Added: Jul 12, 2024

Slides: 55 pages

Slide Content

SeamlessAccess Update
What’s happening in the world of authentication to resources?
Jason Griffey
Director of Strategic Initiatives, NISO
Justine Withers
Electronic Resources Librarian, Miller Library, Western New Mexico University

[ 2 ]
Topics for Today
What’s up with
SeamlessAccess?
About Tracking Timing and
Browser
Development
Activities
Next Steps

SeamlessAccess
What’s New?

SeamlessAccess Integrators in Production
Advanced
●AIAA
●American Institute of Physics
●American Chemical Society
●Bone & Joint
●British Online Archives
●Cambridge UP - Higher Ed + Core
●De Gruyter
●Elsevier - ScienceDirect
●Emerald
●IEEE
●KweliTV
●Mark Allen Group
●Sage Publishing
●Springer Nature - Nature.com
●Taylor & Francis Online
●Wiley Online Library
Standard
●IOP Publishing
●REFEDS Metadata Explorer Tool
●SAFIRE Test Service Provider
●SUNET
●The HistoryMakers
●Wolters Kluwer

https://seamlessaccess.org/datadashboard/

LEARNING ABOUT TRACKING

[ 8 ]

Non-transparent, uncontrollable tracking
of users across the web needs to be
addressed and prevented.

[ 9 ]
Libraries and Publishing is Important But
The experience and
lead driver of the
browser vendors is in
the consumer web.

[ 10 ]
Regulation Trumps Standardization
Browser vendors are
being held
accountable for
tracking.
They will implement
tech that breaks
things in order to
avoid legal action.

[ 11 ]
Browsers vs Browser Engines
•Browsers = Chrome, Firefox, Safari, Edge, Brave
•Browser engines = Blink (aka, Chromium), Gecko, WebKit
•Functionality is based on the browser engine more than the
browser
•ALL browsers on iOS and iPadOS are actually built on WebKit;
WebKit does not support third-party cookies
•Edge and Chrome are built on Blink; they will show much the
same behaviors when it comes to features

This matters when you start troubleshooting why someone can’t get to a website or service

[ 12 ]
How Does Tracking Happen
Third-Party
Cookies
IP Addresses Browser
Fingerprinting
Link
Decoration
Bounce
Tracking

[ 13 ]
HTTP cookies (also called web cookies, Internet cookies, browser
cookies, or simply cookies) are small blocks of data created by a
web server while a user is browsing a website and placed on the
user's computer or other device by the user’s web browser.

•First-Party Cookies
•Accessible only by the domain that created it

•Third-Party Cookies
•Accessible to any site at any domain

Cookies

[ 14 ]
IP Addresses
Used to identify machines and/or services

•Tracking mitigations for Browser Fingerprinting often impact IP address
information
•Often used to make authorization decisions in:
•Libraries
•Enterprise Resource Planning (ERP) systems

[ 15 ]
Browser Fingerprinting
Information collected about the software and hardware of a remote
computing device for the purpose of identiﬁcation

Includes capture of information such as
•Browser used
•Fonts used
•Add-ons used
•Browser security conﬁguration
•IP address
•…

[ 16 ]
Link Decoration
A method of adding extra information to the URL. Also known
as “navigation-based tracking”

Used for:
•Query strings
•Some authentication tokens (i.e., “Front-channel”)
•Tracking information

https://2023alaannual.eventscribe.net/myplan.asp?mode=sessions&afp=MkMxM
Tc3MTo2MTUyNjc2MDpNc1N1SDVYYg

[ 17 ]
Bounce Tracking
Used by trackers to get around third-party limitations, also
known as redirect tracking

●Website A sends the browser to the tracker to get a
ﬁrst-party cookie.
○The tracker then sends the browser on to the user's
destination with additional information stored in the
browser that will allow the tracker to ’follow’ the user
around the web.
●The end-user does not see this transition; they only see
Website A and then the destination page.

[ 18 ]
Many applications and services need
to work through the browser to
support SSO/federated login (and
other library services), and yet these
and tracking tools use the same
features and are indistinguishable from
the browser’s perspective.

[ 19 ]
Sites use features like cookies for more than
just authentication and authorization

•Storing user preferences
•Session information across frames
•Demographic info for targeted advertising / content

It’s About More Than Just Authentication

THINGS TO KNOW

[ 21 ]
Implications to Remember
•Authentication that uses SAML will continue to work as designed for at
least the next 1-3 years.
•(except, the ability to globally log out of all SAML sessions)
•WAYF IdP Discovery services will continue to work.
•(previous organizations will likely be forgotten (e.g.,
SeamlessAcccess).
•Services that share information between third-parties in frames (e.g.,
Teams, ILS/LMS) will have mixed results.
•Other features that enable tracking (IP addresses, browser ﬁngerprinting)
are already breaking, depending on which browser is being used.
•WAYFless linking (link decoration) may be affected depending on
implementation.

[ 22 ]
Timelines
•Apple’s timeline:
•n/a (Apple started blocking third-party cookies by default in 2017
as part of Intelligent Tracking Protection)
•With Safari 17, they are also removing known link decoration
trackers in Private Browsing Mode.
•Mozilla’s timeline:
•n/a (Mozilla also blocks third-party cookies by default as of June
2022 with Total Cookie Protection)
•Google’s timeline:
•https://privacysandbox.com/timeline
“We envision proceeding with third-party cookie deprecation starting early
2025, subject to resolving any remaining concerns with the CMA.”

[ 23 ]

[ 24 ]

[ 25 ]
What is happening Right Now?
•Seamless Access developers are meeting regularly with
browser vendors
○Other library vendors are in that group as well

•Discussions w/ Mozilla, Google re: creating a test
environment

•FedID Working Group is now in place

[ 26 ]
https://www.w3.org/2024/03/wg-fedid-charter.html

[ 27 ]
Want to Learn More?
To be a part of developing the solution (or at least lurk and learn)

•Federated Identity Community Group
•https://www.w3.org/community/fed-id/

•Private Advertising Technology Community Group
•https://www.w3.org/community/patcg/

•REFEDS Browser Changes and Federation WG
•https://wiki.refeds.org/display/GROUPS/Browser+Changes+
and+Federation

[ 28 ]
Q&A

February 2025

http://niso.plus

How does Federated
Authentication with
Seamless Access work?

AmyBob
A brief refresher on Federated Authentication

Bob’s Book Booth Amy
I’d like a
book please

Sure! Are you
from a
subscribing
institution?
Bob’s Book Booth Amy

Yes, I’m a
student at
ABC College
Bob’s Book Booth Amy

ABC College:
Call Carol at XXXXX
#liblynxconnect
Bob’s Book Booth Amy

#liblynxconnect
Carol
Bob: Is this a
student from
ABC College?
Bob’s Book Booth Amy

#liblynxconnect
Carol
Carol: Please
pass the phone
to Amy
Bob’s Book Booth Amy

#liblynxconnect
Carol
Carol confirms
Amy’s identity with
her
Bob’s Book Booth Amy

#liblynxconnect
Carol
Carol: I can confirm
she’s one of our
students
Bob’s Book Booth Amy

#liblynxconnect
Carol
Bob: Can you confirm
her name?
Bob’s Book Booth Amy

#liblynxconnect
Carol
Carol: Sorry, that’s
not our policy
Bob’s Book Booth Amy

#liblynxconnect
Carol
Bob: No problem,
thanks Carol!
Bob’s Book Booth Amy

Here’s a badge so other
booths don’t need to ask the
name of your college
#liblynxconnect
Bob’s Book Booth Amy

Bob
Carol
Amy
#liblynxconnect

#liblynxconnect
Bob
Carol
Amy
Service
Provider

Federation
•InCommon
•UK Access
Mgt Federation
#liblynxconnect
Bob
Carol
Amy
Service
Provider

#liblynxconnect
Federation
•InCommon
•UK Access
Mgt Federation
Bob
Carol
Amy
Service
Provider
Identity
Provider

So.. what does that look like?
SeamlessAccess button with
generic “Access through
your institution” text
●Example: IOP Publishing
●User has not used SA before

Button → IdP discovery → Authentication

Next time, the user is remembered
●Example: IOP Publishing
●User has used SA before →
persistence function remembers
their choice

SeamlessAccess button with
name of the user’s institute

Griffey and Withers "Seamless Access Update: What’s happening in the world of authentication to resources?"

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Griffey and Withers &quot;Seamless Access Update: What’s happening in the world of authentication to resources?&quot;

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......

Griffey and Withers "Seamless Access Update: What’s happening in the world of authentication to resources?"