Ted Koppel • The Library Corporation • tedk@tlcdelivers.com

• Authentication

– Validation of user credentials– Based on individual– Usually local function

• Authorization

– Validation of institution’s permissions / contracts– Almost always a remote function– More involved with license constraints

• We know the players (next slide) but• We don’t yet know all of their needs• We know some of the goals and• We know of some options to reach

those goals but• Not all options meet all needs. In fact, some

are inimical to meeting these needs

HOWEVER

We know what we want to avoid

• Needs access to information / data• Understands need to present credentials• ONCE• Wants his anonymity but also wants his

privileges• Carries attributes (Grad Student in Engineering

School) that provide• Entitlements to certain resources

• Examines and approves/disapproves credentials

• Depends on institutional structure– Library Borrower Database– Campus-wide login (university)– State-supported databases (OPLIN, FindItVa)

• Needs to return a “yes” or “no” and send it upstream

• The entity through which the User derives his entitlements

• May be the same as the Authenticator

• Controls the privileges of individuals and groups

• Various levels:– Department– Library– Campus– Statewide

• May be the ILS

• May be a Library or Campus-wide Portal

• May be the Authenticator and/or the Licensee

• Has to present authentication screens to users and manage the results and send them upstream

• Often has to handle multiple authentication schemes

• Can handle rudimentary authentication itself if required

• Acts as pass-through for authentication information but

• Must be able to trust the varying sources of authentication that it receives

• Has to ‘translate’ authentication from source to multiple targets

• Wants to sell data, have it used and respected, while

• Restricting access to valuable intellectual property and protecting investment

• Must be able to trust the authentication from all of the downstream sources

• Contradiction:

anonymity versus personalization (the user)

• Contradiction:

wide use and acceptance versus ‘branding’ (database provider)

• Contradiction:

needs of the academic and public library sectors (wanting identity masking) versus commercial information providers (needing billable accountability)

• “tried and true” mechanisms– IP address permission– Referring URL validation – URL-embedded userid/password– Vendor-provided script– Local or SIP2/NCIP password verification

• Limited and arcane

• Shibboleth (or similar)

– Builds on trust relationships between parties

– Allows local authentication by any means

– Transmits the fact of approval and attributes of the user but

– Preserves personal anonymity through use of

– “communities” and “clubs” as entities that receive privileges

• X509 (or other) digital certificates issued by authenticator

• PAPI = Point of Access to Providers of Information (local authorization, Spain)

• Athens (single sign-on scheme, UK)

• And various others

• Creation of subcommittees to draft mission statements for pre-standards activity

• Develop use cases to understand all aspects of authentication

• Examine and evaluate existing work in authentication

• Determine what approach(es) might be ‘best practices’ or (at worst) develop a new authentication scheme

1. Certifying the user (or organization) from the Authenticator to the Data Provider, by way of the Metasearch provider, in such a way that the messages can be trusted from the source to the destination, so that the services to which the user is entitled can be delivered.

• Authentication to Licensed Resources (JSTOR)http://uk.jstor.org/about/authentication.html(discusses JSTOR’s approaches to authentication)

• Access Management for Networked Information Resources by Clifford Lynchhttp://www.educause.edu/ir/library/html/cem9842.html(overview article)

• Authorization/Authentication for Patron Remote Access to Electronic Resources (powerpoint by Kerry Bouchard)http://libnt2.lib.tcu.edu/staff/bouchard/ugc2000/remoteaccess/

sld001.htm(useful visual introduction to issues relating to authorization)

• A White Paper on Authentication and Access Management Issues inCross-organizational Use of Networked Information Resources by Clifford Lynch, editor (cliff@cni.org)http://www.cni.org/projects/authentication/authentication-wp.html

Ted KoppelThe Library Corporation

tedk@tlcdelivers.com