Using Federated Identities to Access IP-Protected Web Resources in Multi-customer Environments

Several publishers, being used by researchers, have changed their access control from IP-based to federated authentication and authorization mechanisms typically based on the Security Assertion Markup Language (SAML). While offering unified authentication and authorization (Single Sign-On) across Web sites, SAML does not offer specific features to enable the accounting of multiple customers that joined a federation. Thus the majority of publishers offering Web resources, like journals or papers, still use less complex IP-based or proprietary access control mechanisms. To integrate publishers offering IP-protected resources in federations several proxy solutions have been developed, but they do not allow differentiating multiple customers in a federation. This paper introduces a solution to integrate publishers providing IP-protected resources in federations without losing the ability to establish a customer-based accounting. It presents a migration path for libraries and companies that have already joined or are beginning to setup a federation and explains accounting enhancements for federated authentication and authorization mechanisms.