This article is brought to you by: 

What does it take to run an access management federation?

As digital resources have become the standard for accessing many types of information, access management federations have emerged as a crucial part of the knowledge economy. Identity Providers (IdPs) such as universities or corporations, and Service Providers (SPs) such as publishers, rely on federations to connect individual users within an organisation to the digital resources they hold subscriptions for.

Federated access means users can make use of a wide range of resources by logging in just once – either through their organisational account via single sign-on (SSO), or via a prompt when attempting to access subscribed resources. Because users have only one username and password to remember, they’re less likely to forgot it or write it down, which increases security and reduces the administrative burden of managing multiple user credentials. However, as Shibboleth and its underlying SAML technology are open source, there are a variety of ways they can be implemented – meaning a wide range of access pathways users can experience.

The access management federation

In the broadest sense, the role of an access management federation (AMF) is based on trust: it provides a series of common understandings between IdPs and SPs that enable them to trust the information they send between one another, and establish protocols to ensure that the minimum amount of personal data is exchanged and in a secure and consistent way. Thanks to these policies, an AMF also helps keep user details secure. Users’ personal information is stored by their Identity Provider, with only relevant attributes exchanged with SPs – minimizing the chances for data breaches or the theft of personal information.

Naturally, this streamlined access hides the many ‘moving parts’ that are at work beneath the surface. Maintaining a federation is complex: an AMF provides a technical infrastructure that brings in information from many different sources as well as ensuring standards are documented and adhered to, that systems remain accessible, and that records are kept in sync between IdPs and SPs.

 

 

How the federation team works

Maintaining an AMF is an ongoing commitment. Changes in data protection legislation, how users access information, new data standards, alterations to how SP systems are configured, and resolving issues in the communication of data between IdPs and SPs all require a team of dedicated managers, developers, designers and customer service staff to keep the data flowing.

We work with other access management federations world-wide on international technical standards and best practice around the exchange of user information. This ensures our products and services interoperate with other national federations, whether participating as an identity provider or service provider. The OpenAthens Federation development team also keeps abreast of larger initiatives: for example, OpenID Connect was borne out of the need to enable easier systems integration.

Due to the importance of online information resources to business, healthcare, and study, it’s vital for technical issues to be resolved as quickly as possible – and, indeed, prevented wherever possible. In addition to responding to help requests from IdPs and SPs, the OpenAthens Federation continually checks security certificates and conducts regular penetration tests to keep the infrastructure as secure as possible against cyberattacks. Information flows between IdPs and SPs are encrypted and exchanged in the cloud, adding a further layer of security to our ISO27001-compliant service.

The benefits of federation membership

Membership of an AMF helps IdPs keep their users’ details secure, and makes access to online resources and services easier, as users don’t need to remember multiple usernames and passwords. At the same time, SPs can rest assured that users’ identities are managed and confirmed by their home organisation, and that usage is in line with subscription agreements. AMF membership also provides both IdPs and SPs with frequent enhancements to reporting, options for fine-grained access management, and more – while keeping the technical infrastructure updated to embrace new hardware and software as user preferences for accessing information change.

What makes OpenAthens Federation different

Most access management federations are designed and operated for the academic and research community of a specific nation. The OpenAthens Federation differs in that membership is open to any IdP that wishes to provide access to resources offered by SPs to their user community. This means that organisations in fields as diverse as healthcare, pharmaceutical research and development, commercial companies, defence, and government organisations can benefit from the same tried-and-tested access pathways enjoyed by the academic sector. At the same time, it enables publishers and other SPs to realise a greater return on investment on their access control systems by offering the same login processes to a wider range of organisations. The OpenAthens Federation also operates across national boundaries in its capacity as the only international access management federation in the world – bringing more than 20 years of expertise in federated access to millions of users around the globe.

Membership to the OpenAthens Federation is open to all Identity Providers and Service Providers, wherever they are in the world. Contact our team to find out how it can benefit your users and customers.

www.openathens.org

Jon Bentley