Todd Carpenter, executive director, National Information Standards Organization.
The RA21 Project has been working for the past two years to improve the user experience of access to subscribed resources. After having reviewed some initial pilot technologies, RA21 is ready to roll out its recommended practice and launch an ongoing service to support user identity management and individual access to content. The project is now entering a new phase, in which interested parties will form a consortium to provide ongoing maintenance, outreach support, and governance to the effort moving forward. Todd discusses what RA21 has accomplished, demonstrate the service, and provide an update on what is next for RA21.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
OpenAthens Conference 2019: Simplifying the SSO User Experience: The RA21 initiative moves into production
1. Creating a Seamless User Experience
Todd Carpenter, Executive Director, National Information Standards Organization (NISO)
OpenAthens Conference
March 19, 2019
9. What do users want?
• Seamless access to content.
• Seamless access to content.
• Seamless access to content.
– (“OK, Privacy is nice. Security, I guess.
Customization is fine. One password, please.
And did I mention seamless?”)
10. The Promise of Single-Sign-On
• Reduces user sign-on requests and streamlines
online access to resources
• Central identity management and provision
• Single user interface for accessing many services
• Single point of contact for service providers
• Reduces IT help-desk calls regrading credentials
• Limits phishing and unauthorized access
11. Institutions using SAML for years
• OpenAthens in the UK started in 1999
• Shibboleth project was started in 2000, launched
as a service in 2003
• EduRoam initiative started in 2002.
13. And yet, the reality of SSO today
• No common language that makes sense to users
• No common user interface
• No common user experience
• Continuing WAYF problem
• No consistency in attribute release
15. The IT reality for most libraries!
• IT and identity management is not run out of the
library and doesn’t often report through the same
structures
• IT establishes norms and best practices that are not
always in keeping with library values, especially
privacy
16. Interactions between the library and
campus IT need to improve
Amy Pawlowski and Mark Beadles (OhioLink) Authentication and Access of Licensed Content in Ohio: A Summary
17. RA21 will require greater interactions
between libraries and IT
And this should be viewed as a good thing.
19. Expectations of Privacy
• Librarians have an ethical, and often a legal duty to
protect the privacy of the users that they serve,
regardless of whether that user cares about it
• Data gathering should be minimal, and as
anonymous as possible.
• Informed consent, if done appropriately, can
mitigate these issues
• GDPR has only expanded awareness of privacy
20. “Don’t take away my proxy server!”
• Controlling the proxy, means controlling the data
and the services. Passing that to IT is scary.
• Integration of RA21 into existing technology
services stack will help.
21. ”The Proxy is a Firewall for Identity”
-- Cody Hanson (U. MN Library)
• “We control the server, we control the logs”
• The proxy server protects the user’s identity by
masking it via the authentication system, based on
the network one is one, rather than who a person is
• It is NOT the case that these data don’t exist
• SAML could do the same thing, through different
means – the use of pseudonymous IDs
22. SAML Privacy Protecting or Not?
• SAML has a variety of use cases
–For example, SAML is used for authenticating
course management systems, which require
detailed information about the user to be
shared
• That does not mean that all (or even any)
attributes need to be shared
23. Draft RA21 Attribute Release and Privacy
Recommendations
2
3
Limitations on attribute
release. Release as
little data as possible –
Pseudonymous token
with affiliation data.
IF THERE IS
CONSENT BY THE
USER, additional
attribute release may be
permitted. Although, this
is may also governed by
institutional data-use
policies.
Institutions control
data attribute release.
Adoption of REFEDS
Attribute Release and
Privacy Policy.
Developed by identity
management community and
institutional representatives.
(Note current version (V.1) is
out of date because it
predates GDPR, but the
expectation is that V.2 will be
adopted by RA21 once it is
finalized.)
Legal requirements based
on GDPR.
Something which most
content providers are using
as a basis for their data use
and reuse practices.
Key difference and objection
between GDPR and NISO
Privacy Principles are the
audit requirement.
1 2 3
25. CRITICISM OF RA21
• “SciHub is a motivator of RA21”
Yes, but… it is not the only motivator.
• This project began with outreach from LIBRARIES!
• There are a variety of
reasons why libraries
would like to improve
access control
• Evil twins? Come on….
26. MORE CRITICISM OF RA21
• “The only type of access libraries should care about
is Open Access”
• Open Access is not the end-all be-all of library access
control issues.
– First, even if every journal article were OA, not
all content provided by libraries will be freely available
– A variety of services libraries provide still need
authentication, regardless of whether they’re free or not
– To presume that RA21 is a fight against open access is
to have a very narrow and dim view of what libraries do
and provide.
27. EVEN MORE CRITICISM OF RA21
• “RA21 is a nefarious plot by publishers to hoover
up all sorts of user data.”
– First, SAML data released by identity federations is under the
control of institutions, who can set limits on what data is
released or not, it is NOT controlled by publishers
– Second, RA21 will only be storing user preference information
about which IDP to pass credentials – NOT the credentials
themselves
– Finally, if they wanted, publishers could use other methods to
track user behavior, but are often limited by contracts and laws.
28. RA21 and the future of authentication
The last system, the one you know and have
used for years will always be perceived as
better, because you know the flaws and have
built workarounds to address them.
The known knowns are easier than the
unknown issues caused by change.
29. Demands of the library community
• Dual Stack solution – This can’t move too quickly
–Not every library has the same resources, the
same skills, nor the motivation to move first.
• Broad adoption from publishers is necessary to
motivate libraries.
• Single solution, not multiple approaches
• Support from vendor community to turn to when
there are questions or implementation needs
30. RA21 and the future of authentication
• There is an adopted infrastructure that
RA21 is built upon
• Institutions have years of experience
working with it
• SAML-based identity is demonstrably
better than IP
32. Four Elements of RA21
• A default discovery service of identity providers
based on eduGAIN metadata
• A browser-based storage of user’s identity
provider preference
• A centralized JavaScript service to create a login
button
• Guidance on service provider use of the login
button (UX) and on attribute release policies
34. UX Recommendation Building Blocks
3
4
Consistent visual cue
and call to action
signals institutional
access
Flexible and smart search
• Search by institution name,
abbreviation or email
• Typeahead matching and URL
Remembered institution
on next access
1 2 3
35. RA21 UX Goals
3
5
A user only encounters
a discovery process
once (per browser).
The user’s institution is
persisted in browser local
storage and subsequently
rendered in the RA21 button
across all participating
publishers.
1 2
41. RA21 Roadmap
4
1
Now through
Q1 2019
• Finalize user
experience
• Finalize draft
Recommendations
• Draft release &
public comment
through NISO
Recommended
Practice public
review process
Through End
Q2 2019
• Establish
governance
structure for
central
infrastructure
and enable the
service
• Approval and
Publishing of
NISO RA21 RP
Second half
of 2019
• RA21 Central
Services
launched
• Publishers
begin to deploy
RA21 on their
sites
Ongoing Community Outreach, Education, & Adoption Support
42. Implementation: Roll-out Strategy
•Initial focus will be on
adopting RA21
recommendations as broadly
as possible as a supplement
to IP for remote access (off
campus)
•Also suggested as the
primary/only access method
for organizations that can’t
use IP (e.g. corporate
customers using cloud ISPs
such as zScaler
4
2
• This will allow us to
monitor and measure
success rates through
the CTA and discovery
progress
• And build a case for
RA21 as the primary
access method for all
customers
43. Want to get involved?
•Visit: https://www.RA21.org
•Everyone: Register your interest in participation by emailing:
Julie Wallace: Julia@RA21.org and
Heather Flanigan: Heather@RA21.org
Before I begin – how many of you know NISO?
Take some of the ideas from Dan. Trying to make access more seamless
RA21 didn’t build a new authentication system, it is seeking to align library access control with existing institutional SSO practice.
In 2009, NISO launched the ESPRESSO project. It had the goal to Create Recommended Practices that will improve the user experience by providing consistency, simplicity, familiarity, improved usability, and will provide a path toward phasing out IP-centered authentication in favor of an SSO experience across a set of distributed service providers.
Recommend an environment that is feasible for both libraries and vendors to implement and that provides security, privacy, manageability, and flexibility.
Among ESPRESSO’s outcomes:
¨ SPs continue to support multiple authentication options during this time of transition.
¨ SPs and libraries move quickly to reduce reliance on IP-based access control.
¨ SPs and libraries move quickly to deprecate userids/passwords validated AT the service provider site.
¨ SPs and libraries move quickly to implement and use standards-based federated authentication.
InCommon, GEANT, SURFNET. Probably OpenAthens has the best name recognition, but these are not common terms for most users.
Each institution has it’s own SSO login experience, so if you move from institution to institution, it can be confusing, EDUROAM has helped here
Every publisher has their own UX
Discovery of your IDP remains a problem
Even within an institution, the attribute release can be dfficutl to standardize. Not every service needs/wants the same attributes
Dan
The set of attributes released to a service provider via SAML is formally under the control of each IdP and various SAML federations set their own norms around expected attributes. However a convention was established over a decade ago for library information resources. Many resource providers expect the following:
· An anonymous entitlement attribute indicating that the user is entitled to access resources licensed common library terms (https://www.internet2.edu/products-services/trust-identity/mace-registries/urnmace-namespace/urn-mace-dir-registry/urn-mace-dir-entitlement/)
· An optional, opaque pairwise identifier for the user which enables personalized features on the information provider site to be accessed using the user’s home institution sign-in credentials
RA21 is (proposing/recommending/suggesting/investigating) the formalization of this convention via the establishment of a new Entity Category for library information resources (https://wiki.refeds.org/display/ENT/Entity-Categories+Home)
Robert
Robert
Ralph
Ralph
Robert
Robert
Robert
Robert
Todd
Chris
Thank you for your kind attention. We would love to have you involved with any of the pilots.
While we currently have a lot of active leadership and participation from the US and UK, we are actively seeking greater involvement from Europe and Australasia.
There are a couple of ways you can register your interest: Through our mailing list, or emailing our project leaders directly.
We are also happy to answer any questions off line, or connect with me directly
Ann Gabriel
a.gabriel@Elsevier.com