A colleague of mine in JISC Collections recently said to me that what was a dealbreaker for me with publishers was not necessarily a dealbreaker for them. I totally understand this position – I’m obviously a bit puritanical about wanting publishers to adopt SAML! However, recent discussions on the lis-e-resources list got me thinking about whether access management should or shouldn’t be a dealbreaker for licensed resources. This is further supported by an article by Sarah Taylor in Serials.
During February there were three separate discussions on the lis-e-resources list about access management issues all reflecting the problematic situation of publishers who only offer allocated usernames and passwords or who have complex access routes in to resources. The question was posed – would you cancel a resource because of ‘bad’ access management? Is access management a dealbreaker, or not, and should it be?
When I first joined JISC I worked for the then emerging e-research ‘team’ (of 1!) and had very little to do with the JISC Collections team, who were busy building up a strong portfolio of negotiated deals for the UK educational community. So I was very interested to hear Lorraine Estelle presenting on the Nesli agreement process at the first ever JISC Away Day back in 2003. What impressed me most about Nesli was the fact that institutions agreed not to go to the publishers separately, but only used the Nesli route for the purchase of these specific journal deals. This gave the Nesli team it’s negotiating platform. Without this buy-in, it would have been difficult to get the publishers involved.
The JAM team have been working hard to persuade publishers of the benefits of adopting SAML as an access management route, and nearly all of the major publishers have now adopted. However, there are still a large number of smaller publishers that have not adopted, and will only use allocated username and password or IP access. This leaves librarians having to manage SAML access, IP access, EZ-Proxy routes, and publisher provided credentials – clearly a difficult management task and something that is not effective for end-users. Regrettably there are still a large number of JISC Collections resources that aren’t compliant – although SAML compliance is in the license it is not currently treated as a dealbreaker and publishers are allowed to come on board on the understanding they will adopt at a future date. In my experience, regrettably this future date rarely arrives.
There is no real reason for non-adoption of a SAML based access routes. There are a plethora of support options for publishers available, such as the offer from Semantico, the Atypon SAML SP, support from organisations such as VLE Middleware and the OpenAthensSP. Non-adoption really boils down to one thing:
if people will buy the resource without compliance, there is no incentive for the publisher to adopt.
So how can we get beyond this? Is it time for access management to become a dealbreaker? Or is it something that we can continue to live with and manage? I’d be interested in your views….
2 comments
Comments feed for this article
Trackback link
http://access.jiscinvolve.org/wp/dealbreaker/trackback/
March 2, 2010 at 11:52 am
Rod Widdowson
We need to ask the more profound question – why do you think that SAML is important?
If you can enunciate that into a value statement then we are in a more traditional situation – one party is in a position to make things better for the other party but gets no advantage from it. Alternatively there is a cost saving to be had and “all” you need to do is persuade them of it.
One sees this a lot of the former in Security systems – The TSA gains no benefit for making life easier for the travelling public and would suffer badly if they “let someone through”. In general the public would prefer easier passage through security if the secuirty level was maintained – one side carries the risk, the other side the payment.
So you need to state what the value statement is and find some way to transfer that value to the SP either in terms of risk (if you don’t all SSO then all our users will use the same password) or proof of cost savings (you are less likely to get DP audit if you don’t keep passwords) or $$$.
Of course this is not a competative market and that fact alone skews so much of what we do.
March 5, 2010 at 1:18 pm
Owen Stephens
Quite a few years ago I was impressed by the line taken by the California Digital Library – they were very clear about the things that were ‘deal breakers’ and they pushed publishers very hard to meet their requirements.
The other thing that struck me was the purchasing power of CDL was quite considerable and not comparable to any single UK institution. The only way we can get changes made is to act in concert.
There is also the issue that libraries are a service, in the business of providing access to information for their users. There is a danger to the reputation of libraries within their institutions if they don’t give access to certain resources – no matter how much of a pain it is administratively. The value of a specific resource can vary widely across libraries, depending on their users needs, so agreeing a universal ‘deal breaker’ is tricky, if not impossible.
Finally (and I don’t think you are going to agree with me here…) I’d argue that implementing IP authentication is much cheaper and simpler than implementing SAML, and it is more realistic that small publishers could implement this, so if I was going to put a ‘deal breaker’ requirement on this, I’d be arguing for IP authentication being the ‘minimum’ not SAML.