1、 NISO RP-11-2011 ESPReSSO: Establishing Suggested Practices Regarding Single Sign-On A Recommended Practice of the National Information Standards Organization Abstract: ESPReSSO explores practical solutions for improving the success of SSO authentication technologies for providing a seamless experie
2、nce for the user and makes recommendations for promoting the adoption of one or more of these solutions to make the access improvements a reality. Published by: NISO, Baltimore, Maryland, U.S.A. Approved: October 25, 2011NISO RP-11-2011 ESPReSSO ii 2011 NISO About NISO Recommended Practices A NISO R
3、ecommended Practice is a recommended “best practice” or guideline for methods, materials, or practices in order to give guidance to the user. Such documents usually represent a leading edge, exceptional model, or proven industry practice. All elements of Recommended Practices are discretionary and m
4、ay be used as stated or modified by the user to meet specific needs. This recommended practice may be revised or withdrawn at any time. For current information on the status of this publication contact the NISO office or visit the NISO website (www.niso.org). Published by National Information Standa
5、rds Organization (NISO) One North Charles Street, Suite 1905 Baltimore, MD 21201 www.niso.org Copyright 2011 by the National Information Standards Organization All rights reserved under International and Pan-American Copyright Conventions. For noncommercial purposes only, this publication may be rep
6、roduced or transmitted in any form or by any means without prior permission in writing from the publisher, provided it is reproduced accurately, the source of the material is identified, and the NISO copyright status is acknowledged. For permission to photocopy or use material electronically from NI
7、SO RP-11-2011, ESPReSSO: Establishing Suggested Practices Regarding Single Sign-On, please access or contact the Copyright Clearance Center, Inc. (CCC) at 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety
8、of users. All inquiries regarding translations into other languages or commercial reproduction or distribution should be addressed to: NISO, One North Charles Street, Suite 1905, Baltimore, MD 21201. ISBN (13): 978-1-880124-98-7 ESPReSSO NISO RP-11-2011 2011 NISO iii Table of Contents Foreword . v P
9、art 1: Introduction . 1 1.1 Purpose and Scope 1 1.2 Terms and Definitions . 1 Part 2: Why Is It Time to Act? 4 2.1 Overview of Issues 4 2.2 Library Community. 4 2.4 End User Community 5 Part 3: Traditional Approaches to Controlling Access to Licensed Resources 6 3.1 The Evolution of Authentication R
10、equirements 6 3.2 The Evolution of Access Control 7 3.2.1 Client Machine IP Address and Client Organization VPN Services 7 3.2.2 Proxy Servers . 9 3.2.3 Userids/Passwords for a Service Provider Site . 10 3.2.4 Federated Login (Authentication). 11 Part 4: ESPReSSO Recommendations . 16 4.1 Overview .
11、16 4.2 Use Cases 17 4.3 Summary of Recommendations 18 4.4 Recommendations to Service Providers 21 4.4.1 Service Provider Open Page . 21 4.4.2 Service Provider Identity Discovery Page 21 4.4.3 Service Provider Protected Page. 23 4.4.4 Attribute-Based Authorization . 24 4.5 Recommendations to Librarie
12、s / Institutions. 24 4.5.1 Institution Login Page 24 4.5.2 Institution Menu Page. 25 4.6 Role of a Proxy Server in Supporting a Hybrid Environment . 27 4.7 Rewriting OpenURLs . 27 4.8 Appropriate Use of Branding 27 4.9 Additional Functionality . 28 4.9.1 Pseudonymous Access 28 4.9.2 User Consent to
13、Attribute Release 29 Part 5: Content Discovery Services . 30 5.1 Content Discovery Services 30 5.1.1 Overview of Federated Search . 30 5.1.2 Overview of Web-Scale Discovery Services 31 5.2 Existing Authentication with Discovery Services . 32 5.3 Recommendations for Authentication in a Discovery Sear
14、ch Environment . 32 Appendix A Description of Functions in Current Authentication Environments . 33 Bibliography 35 NISO RP-11-2011 ESPReSSO iv 2011 NISO Figures Figure 1: Use case #1 scenario . 17 Figure 2: Use case #2 scenario . 17 Figure 3: Use case #3 scenario . 17 Figure 4: Use case #4 scenario
15、 . 18 Figure 5: Mock-up of Identity Discovery page using recommendations 23 Figure 6: Mock-up of Institution Login Page using recommendations 25 Figure 7: Example of Institution Menu Page 26 Figure 8: Federated search 30 Figure 9: Web-scale discovery search 31 Figure 10: Functional components of cur
16、rent authentication environments . 33 ESPReSSO NISO RP-11-2011 2011 NISO v Foreword About This Recommended Practice In 2009, NISO launched a new Chairs Initiativea project of the chair of NISOs Board of Directors, focusing on a specific issue that would benefit from study and the development of a re
17、commended practice or standard. Oliver Pesch, Chair of NISOs Board of Directors at the time, chose the issue of standardizing seamless, item-level linking through single sign-on (SSO) authentication technologies in a networked information environment. Accessing information in a networked environment
18、 has been a reality for most library user communities for over a decade. Recent years have seen an explosion in this type of usage. With the advent of hosted, aggregated full-text databases and the proliferation of e-journals and e-books, users searches for information often take them to a number of
19、 different online hosts and platforms as part of a single transaction. When those information resources are commercial products, each platform traditionally required the user to be authenticated and authorized. Service providers (SPs) have used two approaches to this issue: 1) ensuring that the requ
20、esting IP address is within a range assigned to the license holder, and 2) issuing userids and passwords to users. In the latter case, the user may have a different identity on each platform. As usage habits and technology have evolved, these traditional methods no longer work well. With the growing
21、 complexity of licensing situations and network design, along with the increased usage from mobile devices, campuses have outgrown the capabilities of these approaches. Using and managing this environment has become confusing and error-prone for browser users, licensee organizations, and service pro
22、viders. The problems caused by having to manage multiple identities have led to the development of so-called “Single Sign-On” (SSO) authentication technologies, including proprietary technologies such as Athens and formal open standards such as SAML (security assertion markup language). With these t
23、echnologies, the user authenticates once and can then access all compliant content platforms using the same identity. (The user would typically be authenticated by the organization holding the licenses.) More importantly, these technologies have been designed so the user would encounter only one log
24、in event while traversing a multitude of in-sourced and outsourced service providers. In addition, with the SSO technologies the user does not have to be using a device attached to the license holders network; they can be anywhere in the world. Simplifying the user experience has become more importa
25、nt as organizations have outsourced more and more of their supporting business functions (not just to licensed content). A bridge is needed to address todays hybrid environment and move all parties towards a longer-term effective SSO solution. The ESPReSSO Recommended Practice document recommends pr
26、actical solutions for improving the success of existing SSO authentication technologies to provide a seamless experience for the user. Specifically, ESPReSSO recommends best practices related to selection of authentication method and transparent flow between the service provider (SP) site and the id
27、entity provider (IdP) site during authentication. Recommendations to service providers include the preferred location for login links and input boxes, standard approaches for guiding users to a desired authentication method, where local branding information could be inserted on a webpage, as well as
28、 approaches for handling automatic logins. Recommendations for libraries/institutions include display of the login page, branding of the login page, use of a menu page with all available content listed that transfers with automatic login to the selected service provider, and appropriate passing of p
29、arameters to the service provider that authenticate the user. Additional recommendations are made about methods that provide trade-offs between privacy and advanced functions. Specific recommendations in federated search and web-scale discovery environments are made that will lead all parties from t
30、he current environment to a longer-term recommendation to use the Shibboleth authentication model. ESPReSSO did not invent any new technology or protocols. Instead, ESPReSSO aims to promote the adoption of best practices that make access improvements a reality by using existing technologies while pr
31、eparing for the future. NISO RP-11-2011 ESPReSSO vi 2011 NISO Discovery to Delivery Topic Committee NISOs Discovery to Delivery (D2D) Topic Committee had the following members at the time it approved this Recommended Practice: Susan Campbell College Center for Library Automation (CCLA) Jeff Penka OC
32、LC Online Computer Library Center Larry Dixson Library of Congress Tim Shearer University of North Carolina Chapel Hill Libraries David Fiander University of Western Ontario Chris Shillum Reed Elsevier Peter Murray Lyrasis Robert Walsh EnvisionWare, Inc. John Mark Ockerbloom University of Pennsylvan
33、ia Libraries ESPReSSO Working Group Members The following individuals served on the NISO ESPReSSO Working Group that developed and approved this Recommended Practice: Steven Carmody (Co-chair) Brown University David Kennedy Johns Hopkins University Frank Cervone Purdue University Calumet Ted Koppel
34、Auto-Graphics, Inc. Pete Ciuffetti CredoReference Lyn Norris Eduserv Andy Dale OCLC, Inc. Heather Staines Springer Kristine Ferry University of California, Irvine Pieter van Lierop Infor Library and Information Solutions Andy Ingham University of North Carolina, Chapel Hill Foster Zhang Johns Hopkin
35、s University Harry Kaplanian (Co-chair) Serials Solutions, Inc. Acknowledgments The ESPReSSO Working Group would like to offer a special thanks to the following individuals for their assistance: Adam Chandler (Working Group Observer) Cornell University Oliver Pesch (Working Group Observer; Project P
36、roposal Author) EBSCO Information Services Rob Walsh (original Working Group member) EnvisionWare, Inc. ESPReSSO NISO RP-11-2011 2011 NISO vii For input regarding publisher, aggregator, and platform experience with implementing single sign-on, we thank the following: American Institute of Physics: P
37、aul DeCillis Cambridge University Press: Chris Fell EBSCO Information Services: Sarah Buck and Heather Klusendorf Elsevier: Chris Shillum and Ale DeVries HighWire Press: John Sack H. W. Wilson: Ronald Miller IEEE: Gerry Grenier Institute of Physics: Laura Shaw Ithaka/JSTOR: Matthew Callow and Brian
38、Larsen MetaPress: Matthew Wren and Tiffany Rich Nature Publishing Group: Amanda Ward Oxford University Press: Claire Dowbekin Semantico: Colin Caveney and Richard Padley Taylor and Francis: Margaret Walsh and Rosa Perez Wiley-Blackwell: Caroline Rothaug For input regarding accessibility issues, we t
39、hank the following: Kerri Hicks, University of Rhode Island NISO RP-11-2011 ESPReSSO viii 2011 NISO ESPReSSO NISO RP-11-2011 2011 NISO 1 Part 1: Introduction 1.1 Purpose and Scope In recent years, many institutions have moved to take advantage of many benefits afforded by Single Sign On, including a
40、ccess to learning management systems (Blackboard, Sakai), research tools (RefWorks, TurnItIn), and, of course, subscription-based library resources (e-journals, e-books, databases). Making the Single Sign-On (SSO) environment work better and smarter will certainly help increase the success of users
41、getting to the content to which they are entitled. Over the last several years many of the larger service providers (SPs) have implemented SSO technologies. However, it is probably fair to say that many content hosts have not implemented these technologies. Library users are required to operate in a
42、n environment that includes a mix of authentication technologies with internet protocol (IP) authentication being the most common. An effective solution needs to address this hybrid environment and, at the very least, take into consideration the needs of IP authentication and proxy servers and how t
43、hey interoperate with SSO authentication technologies. The ESPReSSO Recommended Practice document recommends practical solutions and a path forward for improving the success of SSO authentication technologies for providing a seamless experience for the user. It further aims to promote the adoption b
44、y campuses and service providers of a family of solutions to make the access improvements a reality. This initiative did not invent any new technology or protocols. Rather, it has developed a set of “best practice” recommendations surrounding the use of existing technologies. The ESPReSSO Working Gr
45、oup was primarily concerned with the situation where an organization (a company, a campus, a public library, etc.) acquires a license to access specific content that is delivered via the web, and where the browser user is a member of the group authorized to access that content. The working group did
46、 not address the situation where an individual, either on his or her own or as part of a group, would obtain a license for personal use and then use a personal account from a major internet account provider to authenticate himself or herself to the service provider. Service providers are reporting t
47、hat users are not currently requesting this functionality. In addition, supporting this approach requires as much work for the publishers in managing userids and passwords within their sites as it does for the licensee organization. The processes publishers use to sell individual articles was consid
48、ered to be out of scope for this report. Best practices for user experience on mobile devices are rapidly evolving. Consequently, this report avoids recommendations for screen layout and use on mobile devices. However, the flows described in later sections will work on mobile devices. Lastly, as wit
49、h any web-based system, it is important to address accessibility issues. The recommendations contained in this report describe a number of webpages, and include some sample screen images. However, this report does not recommend any specific implementation. All implementations should meet all Web Content Accessibility Guidelines (WCAG) guidelines. 1.2 Terms and Definitions The following terms, as used in this recommended practice, have the meanings indicated. See also Appendix A, which contains definitions and descriptions of functional components fou
