Combining identity and access management

identity and access management

Identity and access management introduction

Publishing is an increasingly fast-moving industry, with user expectations outstripping the ability of businesses to keep pace in certain key areas. Increasingly, seamless access is becoming central to library and end-user expectations in engaging with publisher content [1,2]. Standalone Single Sign-On (SSO) offerings – otherwise known as identity and access management (IAM) systems – are being tested by many librarians and publishers, in lieu of older monolithic access and entitlement functionality, which is typically enmeshed within legacy online publishing platforms. In this briefing, we define the differences and explain the benefits of the combined Identity and Access Management approach taken within SAMS Sigma.

Common terms

To ensure we’re being clear in a field that is in the midst of change we think it’s important to clarify some common terms before going further. We have noticed that historical practices in our industry have generated the potential for confusion and we would like to help set that straight.
Here are our definitions of four key terms:

Identity

For our purposes, individuals have sets of personal attributes such as name, ORCID identifiers or Twitter handles. This set of personal attributes contributes to an individual’s identity. Individuals may have multiple identifiers – email addresses are a great example – but only one identity.
Importantly, organizations also have identities, again associated with multiple attributes and identifiers. To deliver flexibility and control to publishers, a well-designed IAM system must enable the management of both individual and organization identities, respecting the fact that organisations are very different to individuals. The record of an individual or organisational identity within an IAM system is typically called a profile or an account.

Authentication

Within IAM systems both individuals and organizations may have particular attributes, called variously ‘authentication identifiers’ or ‘credentials’. The best known of these is the combination of username and password, often shortened as ‘user-pass’. When arriving at a website or app protected by an IAM system, a user must enter their authentication identifier in order to gain access to the site or app. This authentication process establishes to the website that the user is who they claim to be – that is, they have an identity that can be communicated to the website by the IAM system.

Authorization

On publisher websites and apps, simple confirmation of identity is not enough; the user also needs to be authorized in order for them to use the specific content licences or other functionality to which they may be entitled.
Within a publisher focussed IAM system, profiles are associated with entitlement information which detail the content licences or other entitlements available to either the individual or the organisation. Once a user is authenticated the IAM system provides the website or app with information about that user’s entitlements. For publishers, these might include subscriptions, pay-per-view purchases, trials or other types of licences.

Single-sign-on

A SSO system removes the need for users enter their credentials at every website they visit. The idea is simple – the user signs on once, establishing their identity with the IAM system, and their authentication persists for a set period of time, typically 30 days or more. During this time, the user can visit each website or app connected to the IAM system without having to re-enter their username and password.
Systems which allow a user to use the same username and password across multiple websites are not SSO if the user is still required to sign in on each site they visit.

Figure 1 explains the connections between identities, identifiers, access and entitlement.

Combining identity and access management

Figure 1 Defining identities, access and entitlement

Defining the space

B2C identity management

B2C identity management services – Salesforce Identity, Gigya, or Forgerock, for example – are built on the back of the social media explosion, and offer SaaS based cross-domain, cross-device SSO for individual identity management only. This is combined with a role-based entitlement system, whereby users are allowed access to different services based on their individual role. Roles-based entitlements are usually quite simple – ‘read only’, ‘administrator’, and ‘super-user’ are common examples. Clearly this does not solve the entitlement problem, as publishers still need to model complex content licences. Similarly, these systems also do not model organisational access, with all the attendant complexities of IP addressing, Shibboleth and consortium membership to mention just a few. With these B2C IAM systems therefore this gap in functionality can only be filled by complex bespoke development by the publisher.

Legacy access management

Legacy access management services – such as Atypon’s eRights, or Semantico’s SAMS 6 – have been around for almost as long as publishers have had digital services. They offer institutional authentication and access control via IP address recognition, Shibboleth federations, and organizational username/password combinations, but do not allow for flexible individual identity management or SSO. These are also not SaaS systems and are therefore subject to slower and more costly update cycles. Access management services usually permit publishers to manage quite granular entitlements (e.g. subscriptions and trials), such that different end users are able to access different content items based on their institution’s purchases.

Combined identity, access and entitlement management

SAMS Sigma is a SaaS based comprehensive identity, access and entitlement management solution, combining 12 years of investment in institutional access and entitlement management with best-of-breed, cross-domain SSO for individual identity management. SAMS Sigma allows publishers to accurately model content licence sales to both individuals and organisations together with the rich variety of relationships that exist between these types of profiles, including remote access, organisation hierarchy and consortium membership.

Comparison of services

Authentication: identity and access management

When users arrive at a protected site, they must first be authenticated – that is, the site must identify the user, either as an individual or as a user from a specific institution.

Item SAMS Sigma B2C identity
management
Legacy access
management
SSO through OpenID Connect yes yes
SSO through OAuth yes yes
SSO through social sign-on Forthcoming yes
Institution authentication
through IP address
yes yes
Institution authentication
through trusted referrer list
yes yes
Institution authentication
through library cards
yes yes
Institution authentication
through Shibboleth federations
(e.g. OpenAthens)
yes yes
Institution authentication
through organization username
and password
yes yes
Token-based access yes yes yes
Cross-domain authentication yes yes
Cross-device authentication yes yes
SAML compliant yes yes yes
API-based authentication yes yes yes

Table 1 Comparison of Identity and Access Management authentication services

Entitlement management

Publishers protect their content in various ways, giving users access to content based on a complex mesh of subscriptions, free content, Open Access and so on. Simple role-based entitlements rarely fit the bill.

Item SAMS Sigma B2C identity
management
Legacy access
management
Subscriptions yes yes
Trials yes yes
Text & Data mining yes yes
Custom content collections yes yes
Open Access yes yes yes
Freemium yes
Free and Gratis yes yes
eCommerce yes (with Scolaris) yes yes
Perpetual access yes yes yes
Time-limited licenses yes yes
Meterage limits yes
Signed link sharing yes
Access vouchers and tokens yes yes
Concurrency limits yes yes
Granular access down to the article yes

Table 2 Comparison of Identity and Access Management entitlement management services

User profile management

Your users need to be able to self-serve, saving your staff time and effort better spent in growing your business.

Item SAMS Sigma B2C identity
management
Legacy access
management
Self-service profile management yes yes yes
Password reset workflows yes yes
Brandable login screen yes yes
Inherited entitlements yes yes
Personalization tools (e.g. saved search) yes yes

Table 3 Comparison of Identity and Access Management user profile management services

Modelling connections

Publishers operate in a complex space, where institutions have multiple inter-relationships not only with other institutions, but also with individuals.

Item SAMS Sigma B2C identity
management
Legacy access
management
Organization hierachy models yes yes
Consortia models yes yes (partial)
Individual memberships yes yes

Table 4 Comparison of Identity and Access Management connections modelling services

Integration

Publishers typically use an ERP/ERM system as a central location for storing and updating their information. Sometimes an internal subscription management system also fulfils this role. API integration to these locations is key.

Item SAMS Sigma B2C identity
management
Legacy access
management
API support for user provision yes yes
API support for entitlement provision yes yes yes
Synchronization support via API yes yes
Business analytics yes yes yes
COUNTER reports yes yes

Table 5 Comparison of Identity and Access Management integration services

Operational

You need to know that your system is going to be operational and secure. SaaS based systems have the benefit of being able to automatically scale resources using cloud hosting technologies to maintain service levels.

Item SAMS Sigma B2C identity
management
Legacy access
management
Cloud-based yes yes
High availability (99.95%) yes yes yes
High performance with 10K concurrent users (single to low 2-digit ms latency) yes yes
24x7x365 support yes yes
Data secured to UK Data Protection Act standards yes yes
OWASP ASVS Level 2 security compliant yes yes
WCAG 2.0 AA and Section 508 accessibility standard compliant yes yes

Table 6 Comparison of Identity and Access Management operational services

Pricing

We benchmarked the prices of B2C identity management solutions based on 1.5 million active user identities per annum, or approximately 250,000 unique users per month.

Solution Model Estimated price
Salesforce identity Unique users per month (250,000 unique users per month) $105,000 to $140,000 pa
Janrain Enterprise User profiles (1.5 million identities) $186,000 to $235,000 pa
Gigya User profiles (1.5 million identities) $280,000 to $350,000 pa
Forgerock User profiles (1.5 million identities) $300,000 to $340,000 pa
SAMS Sigma Sessions per month (250,000 sessions per month) $76,000 to $100,000 pa

Table 7 Comparison of Identity and Access Management pricing

References

[1] Eduserv. (2015) Librarians’ experiences and perceptions of identity and access management 2015.
[2] Schonfeld, R.C. (2014) Meeting researchers where they start.

Related posts

Combining identity and access management

What can dynamic data visualization do for us?

Why is integrated content important?

Publishing identifiers: A spotter’s guide to standards

Leave a Reply

Thank you for leaving a reply. Your email will not be published.
Email and Name are required fields.