Hello,

 

Aside from re-educating Nexis about how metadata distribution works, what do other institutions feel about the request from Nexis to release additional data about our users? They are requesting names and e-mail addresses, which we currently only release to services that are "in house" like our discovery system, Primo, and the IT call management system, UniDesk. Our users would reasonably expect those two systems to know their e-mail addresses and names.

 

We would be very interested to hear if many other institutions release name and e-mail address to external service providers. Do you do this routinely, or just for specific services like LexisNexis?

 

We believe it is possible to set up the IdP so that users are informed what attributes are being shared with the service provider. We have not done that: we'd be interested to hear if any of you have.

 

As well as asking for additional attributes, Nexis also say they prefer a unique ID which is not hashed, ruling out eduPersonTargetedId. They say that a hashed unique ID causes problems when institutions move to a different identity provider. Here is an excerpt from the message they sent to our technical contact:

 

“In general below are the information required in the SAML response (profileID is the Just In Time Provisioning ID to create user account on LexisNexis platform).

1.            firstname or urn:oid:2.5.4.42

2.            lastname or urn:oid:2.5.4.4

3.            emailaddress or urn:oid:0.9.2342.19200300.100.1.3

4.            profileID  (provided below depend on which setup)

We will use persistent for NameID Format and the value passed with this will be assertionID (key identifier for the user account), which can be email address (preferred) or student/staff ID as long as it is unique to the user. Please do not encrypt or hashed this value as when you decide to migration to a different IAM system it very difficult.”

 

The alternative to releasing the name and e-mail address as part of the SAML transaction is for the service provider to ask the user to enter these details once they are through to the site. The new Westlaw site does this, and of course Digimap has operated like this for a while. At least then it is clear to the user that they are handing over additional information to the provider. We were a bit doubtful about Westlaw insisting on extra data, as they hadn't done before, and their reasons seemed a bit flimsy, but we've decided to put up with it. We have asked Westlaw to add a link from the form to their privacy policy so that users can understand what the information will be used for.

 

Kind regards,

 

Clare

 

 

Clare L. Miller

eResources Co-ordinator

 

Durham University Library

Stockton Road

Durham

DH1 3LY

 

Tel: 0191 3341584

Email: [log in to unmask]"> [log in to unmask]

 

Please note my working days are Thursday and Friday

 

 

 

 

Hi Caroline + all,

 

The UKf is following up with Nexis. I suspect a little “re-education” may be in order as 1. Our (UK federation) servers have had excellent uptime. 2. Metadata distribution doesn’t quite work like that.

 

I’ll let you know how we get on, it’s certainly a worrying approach and at best based on misconceptions, and at worst, a little disingenuous….

 

Thanks

 

Mark

 

 

Mark Williams

UK federation Manager

 

T: 02030066042 (Direct)   

E: [log in to unmask]

 

Jisc

15 Fetter Lane, EC4A 1BW

London

 

 

 

 

 

 

Thanks Angus.

 

Apparently this has been implemented in Australia and New Zealand but they may not have the same regulations or be as cautious as we are in Europe.

 

This is the reasoning I received from Nexis:

 

“… Federate via a 3rd party like UKAMF introduced a bottleneck, if their service go down all our customers will lose access. LexisNexis is contracted to Customers to provide the service not the 3rd party, if the service go down for extended period, we don’t have much control over it and will be liable with out contractual agreement with the customer not the 3rd party.

 

All Australian and New Zealand universities were federated via AAF (Australian Access Federation) and Tuakiri respectively for their online resources but federated directly to LexisNexis for our legal resources. They have been on Lexis Advance since early 2016 without any major issues.”

 

I understand using third party authentication may put Nexis in an awkward position with commercial forms but we have always taken the view that it is our authentication and if service from that is interrupted, it is our ‘fault’ not the service provider.

 

I am waiting for a response from Nexis UK to see if they are remaining as members of the UKAMF.

 

 

 

lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG

lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG