Editor’s Note: Today’s post is by Emily Singley. Emily is Head of Library Systems at Boston College, and has previously held technology positions at Harvard University, Southern New Hampshire University, Curry College, and the University of Minnesota. She serves on the SeamlessAccess Outreach Committee, and her primary research interest is in how users access Library resources. (Full disclosure: Emily serves as a volunteer on the Communications Committee for SeamlessAccess).
On our highly residential campus, IP access works well. Or at least, it used to.
When the pandemic hit and all the students went home, we began to see e-resource usage decline. We suspect that our users, not understanding how off-campus library access works, simply gave up.
At Boston College, the majority of e-resource users navigate straight to publisher platforms, completely bypassing the library website’s proxied links. Like most academic libraries, we license resources based on campus IP range: if you’re on the campus network, you get through. Criticism of IP authentication is nothing new, and there is no lack of evidence of the user frustration it causes, but COVID-19 has sharpened the need to take action. At Boston College, we are turning to SAML-based federated access for a solution.
Why federated access? Because during the pandemic the one major vendor we’d set up that way — Elsevier — saw usage go up, not down. This came as a complete surprise: previously, almost all our Elsevier access had been coming through IP, with only a tiny percentage through federated. But once the students went off campus, federated access rose sharply. It seemed our now off-campus users understood federated access better than IP. We knew it was time for a change.
What is federated access?
While a detailed explanation of SAML-based federated access is beyond the scope of this post (for that, I recommend SeamlessAccess.org’s short video as well as Aaron Tay’s excellent overview), here are three things you should know:
- Authorization is handled by the institution’s identity provider (IdP), meaning access is determined by a user’s actual institutional affiliation, not whether they are on the campus network.
- Many institutions who use SAML also leverage single sign on (SSO), allowing credentials to persist across campus services. This means that users who are already logged into common services like email, the learning management system, or even the library catalog won’t need to login again to access e-resources.
- Federated access underpins the SeamlessAccess service, meaning that for providers that adopt it, sign-on can persist across publisher platforms, allowing users to navigate seamlessly between databases.
Implementing federated access at Boston College
Spurred by the reality of a global pandemic, my library spent the summer implementing federated access. By mid-July, we had over 200 providers — including all major publishing platforms, university presses, aggregators, and individual journal titles accessible via federated connections. Now, as we begin the Fall term, we are better able to support both on-campus and online learners. Our implementation was not without some challenges, however, including:
Maintaining access for all resource providers
We do business with almost 600 e-resource providers, but only around 200, or one third, currently support federated access. So how to maintain access to all our resources, without having to run multiple authentication systems? We chose to use a hosted solution (OpenAthens) to manage all our federated and IP connections in one place. Similar solutions (e.g., LibLynx) are also available.
Working with IT
Federated access requires a SAML authentication infrastructure as well as membership in an identity federation — two things that are normally controlled by IT, not the library. At Boston College we were fortunate: our campus already had a SAML-based authentication infrastructure (Shibboleth) in place, and had already joined the InCommon identity federation.
But our central IT wasn’t staffed to set up and maintain hundreds of library resource connections. If we added over 200 new providers to Shibboleth, the library would represent a significant proportion of the total SAML connections on our campus. I found this surprising, but it probably shouldn’t have been — this is a tangible demonstration of how libraries really are at the center of the scholarly infrastructure. Luckily, because we were outsourcing the resource provider connections through OpenAthens (supported by EBSCO), our IT staff only needed to set up one Shibboleth connection.
Protecting user privacy
Before we could expand federated access to more resource providers, we knew we had to address privacy concerns. One good thing about IP authentication is that it preserves privacy: only the user’s institutional IP address (or, if the user is off-campus, the proxy server IP) is passed to the provider, thus limiting the ability to identify users individually. With federated access, it is possible to pass more information, including name, email address, and other identifiable attributes — Lisa Hinchliffe, as always, provides a good discussion of these pitfalls. But when federated access is implemented correctly, it is equally possible to preserve privacy.
We were able to preserve privacy — releasing only anonymous, non-identifiable attributes to resource providers — through close communication with the IT staff who manage our campus IdP. This is perhaps the trickiest thing about federated access: while the exchange of personal information is entirely controlled by your IdP (and that is good), librarians are often not consulted. Anecdotally, I’ve heard from e-resource providers that they see all sorts of scary personal information being inadvertently released by campus IdPs. As I’ve pointed out previously, implementing federated access requires librarians, as privacy advocates, to begin to build strong partnerships with their campus identity groups.
Looking ahead — getting to seamless access
Going forward, my library is prioritizing resource access that works regardless of whether users are on or off campus. Over the next several years, our selection process will be preferential toward federated providers, and we will be encouraging those who don’t yet have a federated option to consider one. I’m old enough to remember having similar conversations with providers back when we were trying to get them all to adopt EZProxy: now we need our providers to upgrade once again.
We will also encourage providers to adopt the SeamlessAccess service: on too many platforms, users still have difficulty figuring out how to use their institutional credentials. A consistent, recognizable user experience that persists across provider platforms will greatly improve the usefulness of federated access, and bring it closer to being a true replacement for IP authentication.
Why federated access matters — facilitating the scholarly conversation
By adopting federated access, my library has accepted the reality that, despite our best efforts to teach them otherwise, researchers don’t start at the library. Even before the pandemic, we saw evidence of users bypassing traditional library access pathways: in one study, we found students starting from all over the digital world — they tracked citation trails in online journals, clicked on links shared by friends, and followed threads on social media. They followed the scholarly conversation wherever it led them, dipping in and out of the library along the way.
Every morning, over my coffee, I engage in my own little scholarly conversation as I scan through article alerts on my phone. And I run into the same frustrations described in Michael Clarke’s step-by-step user journey: I have to figure out how to get to the articles by finding special library links that contains a magical prefix that re-writes URLs so that I look like I’m on an IP range that I’m not actually on. Isn’t that kind of insane, when you stop and think about it?
This same user journey gets much simpler with federated access:
- You get an article alert on your phone and click the link
- You’re able to sign into the publisher website with your institutional credentials (bonus if the publisher participates in SeamlessAccess)
- You read the article
Wouldn’t it be great if access could work this way for all library subscription resources? And isn’t it high time for libraries — and publishers — to begin to facilitate, rather than interrupt, the scholarly conversation?
At my library, it took a pandemic before we learned that IP authentication doesn’t really support the way our users want to work. And this year we made a small start toward improving the user experience by implementing federated access, if only for a fraction of our resources. There is more work to be done, but we can’t do it alone: it’s going to take all of us — libraries, publishers, and IT. Libraries need to be privacy advocates, publishers need to adopt federated access, and IT needs to collaborate with libraries. We still have a long way to go before we achieve truly seamless access, but by working together, I’m convinced we can get there.