An emerging new technology for federated access: Federated Credential Management (FedCM)

In earlier blog posts, videos (one, two) and FAQs (for librarians and publishers), we talked about ongoing developments at the major browser vendors that are bound to have a significant impact on how users will experience the web in general, and on federated access in particular. To recap, these changes are driven by concerns around user privacy - including regulations such as GDPR - and meant to stop the unsanctioned tracking of users across the web. “Why is that relevant to federated access?”, you might ask. Well, the complicating factor is that some browser functionalities that are used to track users, for example third-party cookies, are also used to support federated access - and the browser has no way to tell the difference! This means that, in an effort to improve user privacy, current access solutions for scholarly resources on the web may no longer work in the way they used to. This is, in fact, already happening today with IP-based access: Apple has started to hide IP addresses by default for certain users, which means that these users may suddenly find themselves unable to access research publications if their library relies on IP authentication to provide access (see ‘Apple’s iCloud Private Relay impacting IP recognition’ in our August 2021 newsletter).

This blog post is about a new piece of technology that has the potential to support federated access: Federated Credential Management (FedCM), described on the Chrome Developers Privacy Sandbox page as “A web API for privacy-preserving identity federation.” Originally developed by Google, this technology seems to have now gathered the support from other major browser vendors, including Apple and Mozilla, and is thus emerging as a front-runner to fill the gap that will be left by the deprecation of third-party cookies and other tracking-like functionalities.

FedCM is under active development, and questions remain to what extent it will be suited to support scholarly and academic use cases that are today served by federated authentication technologies and by SeamlessAccess. Just to give one example, it is not uncommon for researchers to have to find their home institute from a list of several tens of thousands of choices (a challenge that is the very raison d'être for the SeamlessAccess central IdP discovery service). This is a fundamentally different order of magnitude compared to the choice of a few social web logins, which calls for a different approach to support the user in their access journey.

In light of these questions and concerns, SeamlessAccess is an active contributor to work that is currently taking place under the auspices of the W3C Federated Identity Community Group. The purpose of this work is to foster an active dialogue between browser vendors and the research community to ensure that researchers’ use cases are understood and taken into account as FedCM is further designed and developed. An upcoming milestone is an info-sharing event at the end of February that will bring together developers from Google and technologies like Shibboleth, SimpleSAMLphp, and SeamlessAccess. We believe that this is going to be a great opportunity to ‘get our hands dirty’ with FedCM in its current state and understand how it can support researchers’ access needs. Equally, we look forward to sharing our insights into user needs and the approaches that we’ve developed to inform the core FedCM team on how FedCM could benefit the research community.

We will be reporting back to the SeamlessAccess community after the event, so please check our website regularly or subscribe to our mailing list to receive updates.