Hello,
Aside from re-educating Nexis about how metadata distribution works, what do other institutions feel about the request from Nexis to release additional data about our users? They are
requesting names and e-mail addresses, which we currently only release to services that are "in house" like our discovery system, Primo, and the IT call management system, UniDesk. Our users would reasonably expect those two systems to know their e-mail addresses
and names.
We would be very interested to hear if many other institutions release name and e-mail address to external service providers. Do you do this routinely, or just for specific services
like LexisNexis?
We believe it is possible to set up the IdP so that users are informed what attributes are being shared with the service provider. We have not done that: we'd be interested to hear
if any of you have.
As well as asking for additional attributes, Nexis also say they prefer a unique ID which is not hashed, ruling out eduPersonTargetedId. They say that a hashed unique ID causes problems
when institutions move to a different identity provider. Here is an excerpt from the message they sent to our technical contact:
“In general below are the information required in the SAML response (profileID is the Just In Time Provisioning ID to create user account on LexisNexis platform).
1. firstname or urn:oid:2.5.4.42
2. lastname or urn:oid:2.5.4.4
3. emailaddress or urn:oid:0.9.2342.19200300.100.1.3
4. profileID (provided below depend on which setup)
We will use persistent for NameID Format and the value passed with this will be assertionID (key identifier for the user account), which can be email address (preferred) or student/staff
ID as long as it is unique to the user. Please do not encrypt or hashed this value as when you decide to migration to a different IAM system it very difficult.”
The alternative to releasing the name and e-mail address as part of the SAML transaction is for the service provider to ask the user to enter these details once they are through to
the site. The new Westlaw site does this, and of course Digimap has operated like this for a while. At least then it is clear to the user that they are handing over additional information to the provider. We were a bit doubtful about Westlaw insisting on extra
data, as they hadn't done before, and their reasons seemed a bit flimsy, but we've decided to put up with it. We have asked Westlaw to add a link from the form to their privacy policy so that users can understand what the information will be used for.
Kind regards,
Clare
Clare L. Miller
eResources Co-ordinator
Durham University Library
Stockton Road
Durham
DH1 3LY
Tel: 0191 3341584
Email: [log in to unmask]">
[log in to unmask]
Please note my working days are Thursday and Friday
From: An informal open list set up by UKSG - Connecting the Information Community <[log in to unmask]>
On Behalf Of Mark Williams
Sent: 15 July 2019 19:57
To: [log in to unmask]
Subject: Re: [lis-e-resources] Nexis
Hi Caroline + all,
The UKf is following up with Nexis. I suspect a little “re-education” may be in order as 1. Our (UK federation) servers have had excellent uptime. 2. Metadata distribution doesn’t quite
work like that.
I’ll let you know how we get on, it’s certainly a worrying approach and at best based on misconceptions, and at worst, a little disingenuous….
Thanks
Mark
Mark Williams
UK federation Manager
T:
02030066042 (Direct)
Jisc
15 Fetter Lane, EC4A 1BW
London
From: An informal open list set up by UKSG - Connecting the Information Community [mailto:[log in to unmask]]
On Behalf Of Checkley, Caroline R
Sent: 15 July 2019 15:11o
To: [log in to unmask]
Subject: Re: [lis-e-resources] Nexis
Thanks Angus.
Apparently this has been implemented in Australia and New Zealand but they may not have the same regulations or be as cautious as we are in Europe.
This is the reasoning I received from Nexis:
“… Federate via a 3rd party like UKAMF introduced a bottleneck, if their service go down all our customers will lose access. LexisNexis is contracted
to Customers to provide the service not the 3rd party, if the service go down for extended period, we don’t have much control over it and will be liable with out contractual agreement with the customer not the 3rd party.
All Australian and New Zealand universities were federated via AAF (Australian Access Federation) and Tuakiri respectively for their online resources
but federated directly to LexisNexis for our legal resources. They have been on Lexis Advance since early 2016 without any major issues.”
I understand using third party authentication may put Nexis in an awkward position with commercial forms but we have always taken the view that it is
our authentication and if service from that is interrupted, it is our ‘fault’ not the service provider.
I am waiting for a response from Nexis UK to see if they are remaining as members of the UKAMF.
All the best
Caroline
Caroline Checkley
Digital Systems and Services Librarian
Library Services
University of Essex
T
01206 873176
WE ARE ESSEX
TOP 20 FOR RESEARCH EXCELLENCE
TEF GOLD 2017
QAP WINNER 2017
From: An informal open list set up by UKSG - Connecting the Information Community <[log in to unmask]>
On Behalf Of Angus Sinclair
Sent: 15 July 2019 14:55
To: [log in to unmask]
Subject: Re: [lis-e-resources] Nexis
Hi Caroline,
We also received this survey. I passed it to our IT department for assistance in completing it and was told the answers to some of the questions were sensitive and not necessarily
something we should be passing to a 3rd party.
Glad we're not the only ones being cautious here.
Best,
Angus
——————————————————————
Angus Sinclair
e-Resources & Journals Supervisor
Discovery Services
Goldsmiths Library
Goldsmiths, University of London
New Cross, London, SE14 6NW
+44 (0)207 717 3343
——————————————————————
Pronouns: he/him
From: An informal open list set up by UKSG - Connecting the Information Community <[log in to unmask]> on
behalf of Checkley, Caroline R <[log in to unmask]>
Sent: 15 July 2019 14:48
To: [log in to unmask]
Subject: [lis-e-resources] Nexis
Dear all
Has anyone been contacted by Nexis as part of their
Nexis Product Upgrade | Authentication Survey?
We have and I thought it would just be a matter of confirming our Shibboleth IdP details (we have our own IdP rather than using OpenAthens) but now Nexis are requesting we hand over extra metadata
i.e. name and e-mail as well as EPPN?
We’d rather not do this, so I was wondering if anyone else has been contacted regarding this?
Thanks.
All the best
Caroline
Caroline Checkley
Digital Systems and Services Librarian
Library Services
University of Essex
T
01206 873176
WE ARE ESSEX
TOP 20 FOR RESEARCH EXCELLENCE
TEF GOLD 2017
QAP WINNER 2017
lis-e-resources is a UKSG list -
http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter:
https://twitter.com/UKSG
lis-e-resources is a UKSG list -
http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter:
https://twitter.com/UKSG
lis-e-resources is a UKSG list -
http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter:
https://twitter.com/UKSG
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203
697 5800.
lis-e-resources is a UKSG list -
http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter:
https://twitter.com/UKSG