OpenAthens works with a couple of different types of resources. Whilst these different technologies do not tend to make any difference to your users when accessing them from a controlled source such as MyAthens, or to how resources are allocated and reported on, there are times when you as the administrator do need to be able to tell the difference between the different types of resources - for example:
- you may find that you have subscribed to a resource that has two different access technologies available and might appear twice in the catalogue - only one of which will be connected with your subscription, or
- your users may be in the habit of finding content via search engines and any resources that have to be proxied will have no access method via that route - for the proxy, users have to start from a link that routes them through it.
When the technology does not make a difference we try to call them all 'resources', but sometime you will see them described slightly differently and when that happens, this is what each term means:
These are the regular resources and the majority of your users' access will be to these. They use a technology called SAML which depends on both the publishers and the subscribers being members of a federation with a common set of rules for how things interact. The authentication of the user is devolved to the users' organisation (or an agent acting on their behalf such as OpenAthens), whilst the authorisation of the users' is handled by the resource based on information the organisation passes back to the resource - typically that the user is from organisation X, has identifier Y and in some cases, has special property Z.
The resource detail view in the catalogue will tell you which federation the resource is a member of, which can be useful if your organisation is a member of more than one (which is rare outside of education).
If your users are accessing this type of resource from something like a search engine's results page rather than from a managed set of links as you would find in MyAthens, they may find they have to identify their home organisation in a list to proceed. Such a list is usually called a WAYF (for Where Are You From). The Access URLs used in MyAthens and the resource catalogue should generally not require this step when followed - they will either have come with a suitable access URL already or you will have tweaked it to suit your users' needs. OpenAthens redirector links similarly bypass the WAYF function.
This is the type of resource that OpenAthens access is optimised for and usually provides the best user experience.
Where resources do not have a compatible access technology, either because they are small, specialist or stuck in the dark ages, they can be made available by the managed proxy service. This is an additional service and if you believe you have need of it you should contact your account manager.
Which is best?
The is really comes down to the advantages and disadvantages of federated vs proxy access in general rather than anything specific to OpenAthens:
Federated access advantages
- User accesses content at the maximum speed allowed by resource and their internet connection
- Users can access content they find from a web search and then log in directly, which means:
- Users do not need to first know which resource to go to then use the resource's search (although that search can be excellent)
- Users do not need to start from a library catalogue that you have to maintain and keep up to date. That link resolver may not be necessary
- Users from different organisations can collaborate by sharing links to an article and logging in from their own organisation
- Very simple to load balance and distribute multiple Identity Provider servers, leading to a low chance of it causing access failure
- Very secure authentication and authorisation
- Federated access is part of the service provider's infrastructure so is unlikely to break when they update their site.
- Personalisation can be linked to a user's login
- Users can be held accountable by you
Proxy access advantages
- Does not require the service provider to do any work to enable remote access for your end-users
- Works well with link resolvers
- User experience can be very similar inside and outside of your network... as long as you can completely control all of the users' routes to content
Federated access disadvantages
- Not all resources support federated access
- The process of logging into a resource can vary from publisher to publisher
Proxy access disadvantages
- Not all types of content can work
- Some service providers do not allow proxying
- Results found via search engines have no available login option
- Restricts all users of all skill levels to the lowest common denominator
- Users from different organisations cannot collaborate by sharing links
- Slower, because all traffic passes through another server, both ways, where every single packed is rewritten. Distance becomes a factor in this if you outsource a proxy.
- More places where a failure could disrupt all access
- Difficult to load balance or distribute, leading to a higher chance of access failure
- Can be complicated to set up and keep working - it is rarely as simple as just rewriting IP addresses, and resources can stop working when providers make changes to their site (your proxy is not part of their service).
- Much easier to disrupt or co-opt the traffic.
- Less tolerant of pages that stray from web standards
- Difficult to tie any abuse to a specific user
- As with IP access, the SP cannot block an individual abuser but must block your entire organisation