Helping to Improve the Single Sign-On Experience for Users

By Todd Carpenter, Managing Director, National Information Standards Organization

Online publications are increasingly becoming an interlinked chain of scholarship, with readers frequently moving from one publisher platform to another when searching for information. Each time a library patron makes that move, however, the credentials that allow access need to be revalidated. Users are not likely to understand or care how authentication systems work, nor how to navigate through the authentication process. They are often confused—and annoyed—when repeatedly asked to enter authentication credentials during the same search session.

As a community, we need to lower the barriers to access of subscribed content whenever possible. Currently a hybrid environment of authentication practices exists, including older methods of userid/password, IP authentication, and/or proxy servers along with newer federated authentication protocols such as Athens and Shibboleth. With the growing use of mobile devices and remote access, the older authentication methods are not manageable for the content provider, the library, or the end user. The increased use of web discovery services over the older federated search method has only increased the need for single sign-on authentication and consistency of access and context for the user.

To help address these issues, the National Information Standards Organization (NISO) has published a recommended practice, Establishing Suggested Practices Regarding Single Sign-On (ESPReSSO). The ESPReSSO Recommended Practice puts forward practical solutions for improving the success of existing SSO authentication technologies to provide a seamless experience for the user. Specifically, ESPReSSO identifies changes that can be made immediately to improve the authentication experience for the user, even in a hybrid situation, while encouraging both publishers/service providers and libraries to transition to the newer Security Assertion Markup Language (SAML)-based authentication, such as Shibboleth.

The ESPReSSO Working Group did not invent any new technology, authentications, or protocols. Instead, ESPReSSO aims to promote the adoption of best practices that make access improvements a reality by using existing technologies.

Recommendations to service providers include the preferred location for login links and input boxes, standard approaches for guiding users to a desired authentication method, where local branding information could be inserted on a webpage, as well as approaches for handling automatic logins.

Recommendations for libraries/institutions include display of the login page, branding of the login page, use of a menu page with all available content listed that transfers with automatic login to the selected service provider, and appropriate passing of parameters to the service provider that authenticate the user.

Additional recommendations are made about methods that provide trade-offs between privacy and advanced functions. Specific recommendations in federated search and web-scale discovery environments are made that will lead all parties from the current environment to a longer-term recommendation to use the SAML authentication model.

The recommendations are available for free download from the NISO website at http://www.niso.org/publications/rp/RP-11-2011_ESPReSSO.pdf. More information about the group, its background, and next steps are available at http://www.niso.org/workrooms/sso. The site also contains a variety of detailed presentations about the project and more detail about the recommendations.

Through broad adoption of these practices, the end-user experience of accessing licensed publisher content can become a seamless single sign-on with item-level linking while also streamlining the back-end authentication management for both publishers and libraries.