Historically, librarians and information managers have used IP authentication as a method of authenticating user's access to content. There are many discussions and initiatives, such as RA21, that encourage institutions to move away from IP authentication. One of the primary drivers for this is increased security reasons behind this is the issue of security.
IP Access vs. SAML
Looking at the differences between SAML and IP provides insight into why IP is not the most secure method of authentication. Security Assertion Markup Language (SAML) is an open standard designed to aid secure single sign-on. SAML authentication works by passing selective information about an individual to service providers from their identity provider — without giving out the user's credentials.
IP access is location-based and it can be difficult to manage the secure access that resource licenses require, from a computer in the library or from individuals’ devices on the campus network. When a user logs in via IP, the service provider or publisher only knows that they are from that IP.
Secure by Design
There are many benefits to consider when thinking about moving away from IP towards SAML based access. Federated single sign-on is built on SAML technology which is why more institutions are choosing this authentication method.
One Username and Password
SAML based authentication requires one set of login credentials for your users to access all their online resources. This decrease in credentials should reduce the number of users writing their passwords on sticky notes or saving them as a text file on their computer, all contributing to a better user experience and a more secure authentication journey. It also makes things easier for the administrator in terms of offering user support.
Sign-in from Anywhere
SAML authentication enables users to sign-in from anywhere — not just from your campus or VPN. If users find a subscribed resource via Google Scholar, for example, they can choose the institutional sign-in option and get access.
The Importance of a Good User Experience
IP access may result in a diminished user experience – as users may not be able to access a given resource if they are not on campus or utilizing a VPN. In addition, with IP authentication, even when the user is able to access the resource, the library may not have accurate usage data. In contrast, SAML authentication provides for seamless access to the library’s content from anywhere – ensuring more usage overall as well as accurate usage information.
If a rogue user downloads too much content the publisher could block the entire IP range breaking access for the subscribing organization. By using SAML however, the publisher has access to a pseudonymous identifier to disable and send to the subscribing organization. This prevents disrupting access for the entire subscribing organization.
When it comes to security breaches, SAML can send pre-agreed attributes over to a publisher about user accounts. The publisher can capture these attributes and use them in logging systems, such as a monitoring system for misuse. The same cannot be said for IP access as publishers only see an IP address making account breaches harder to deal with when using IP authentication.
Protecting User Privacy
SAML can provide personalization for your users without compromising privacy. Personal data such as an email address or name are not required for personalization to work for the publishers that support personalization options. The OpenAthens single sign-on service, for example, can support personalization using a pseudonymous identifier.
Work with Your IT Team to Increase Security
Building a strong relationship with internal IT teams can also increase access management security. Good communication between IT and library departments can help ensure library IT projects comply with the institution's required security standards. Also, if your IT security team is on board before you embark on any new project it is more likely to go smoothly and ensure the security and privacy of your patron's data.
Our Iowa State University case study demonstrates how a security audit by the University’s IT department prompted the library to move from a proxy-based IP authentication method to OpenAthens. By switching to OpenAthens, the library reduced the risk of security breaches. It also satisfied the IT department’s request that all library users be required to log in, even when they are on campus.
For more about the differences between IP and OpenAthens, watch A Spotlight on Remote Authentication.