User Story: Researcher accessing a scholarly article using their university credentials

[hlflanagan]

User story

As a researcher, I go to my favorite journal site and click on login because I want to access the full text of an article. I am presented with a screen to select my organization. (I choose to sign in with my organization's credentials because they own the subscription.) I select my organization and am taken to my organization's authentication service. I authenticate to my organization and am returned back to the journal site.

Since I initiated the sign-in flow, I expect the organization (IdP) to collect, store, and use my credentials for authentication purposes without asking for explicit permission, and share only what is required by the subscription contract between the service and my organization.

Context of the story

This story applies to an education federated authentication flow.

Should this be considered sanctioned or unsanctioned tracking?

TBD

Explicit list of parties involved

• user
• browser
• RP / service
• IdP discovery service
• IdP operator / organization

Complicating characteristics

Additional parties, specifically the IdP discovery service, may impact whether this is considered sanctioned or unsanctioned from the browser's perspective. The IdP discovery service does offer an option to NOT store the choice of IdP

Additional information

[hlflanagan]

Discussed during 27 September 2021 fedidcg call

[hlflanagan]

With some of the latest browser updates, the pre-population of IdP choice in the SeamlessAccess button now fails. User is required to do an IdP discovery search for each and every instance. In some cases, the search itself is not possible. See for example https://aapt.scitation.org/doi/pdf/10.1119/10.0003395 in Firefox, Safari, and Chrome.

Safari 16.1

Firefox 106.0.5

Chrome 107

[samuelgoto]

This is how it is intended to work: see the "mission state college" string in the button, which is displayed based on a prior choice that the user has made.