Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenAthens Conference 2019: Simplifying the SSO User Experience: The RA21 initiative moves into production


Published on

Todd Carpenter, executive director, National Information Standards Organization.

The RA21 Project has been working for the past two years to improve the user experience of access to subscribed resources. After having reviewed some initial pilot technologies, RA21 is ready to roll out its recommended practice and launch an ongoing service to support user identity management and individual access to content. The project is now entering a new phase, in which interested parties will form a consortium to provide ongoing maintenance, outreach support, and governance to the effort moving forward. Todd discusses what RA21 has accomplished, demonstrate the service, and provide an update on what is next for RA21.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OpenAthens Conference 2019: Simplifying the SSO User Experience: The RA21 initiative moves into production

  1. 1. Creating a Seamless User Experience Todd Carpenter, Executive Director, National Information Standards Organization (NISO) OpenAthens Conference March 19, 2019
  2. 2. Some Brief Context About RA21 and Authentication in Libraries
  3. 3. IP -Address Authentication
  4. 4. Implemented when your OS looked like this
  5. 5. It worked well in this environment
  6. 6. Until, people began connecting from everywhere
  7. 7. Until, people began connecting via different devices
  8. 8. IP Address Authentication FAIL!!!
  9. 9. What do users want? • Seamless access to content. • Seamless access to content. • Seamless access to content. – (“OK, Privacy is nice. Security, I guess. Customization is fine. One password, please. And did I mention seamless?”)
  10. 10. The Promise of Single-Sign-On • Reduces user sign-on requests and streamlines online access to resources • Central identity management and provision • Single user interface for accessing many services • Single point of contact for service providers • Reduces IT help-desk calls regrading credentials • Limits phishing and unauthorized access
  11. 11. Institutions using SAML for years • OpenAthens in the UK started in 1999 • Shibboleth project was started in 2000, launched as a service in 2003 • EduRoam initiative started in 2002.
  12. 12. Long worked to improve SSO for users
  13. 13. And yet, the reality of SSO today • No common language that makes sense to users • No common user interface • No common user experience • Continuing WAYF problem • No consistency in attribute release
  14. 14. And users are just getting annoyed
  15. 15. The IT reality for most libraries! • IT and identity management is not run out of the library and doesn’t often report through the same structures • IT establishes norms and best practices that are not always in keeping with library values, especially privacy
  16. 16. Interactions between the library and campus IT need to improve Amy Pawlowski and Mark Beadles (OhioLink) Authentication and Access of Licensed Content in Ohio: A Summary
  17. 17. RA21 will require greater interactions between libraries and IT And this should be viewed as a good thing.
  18. 18. Privacy
  19. 19. Expectations of Privacy • Librarians have an ethical, and often a legal duty to protect the privacy of the users that they serve, regardless of whether that user cares about it • Data gathering should be minimal, and as anonymous as possible. • Informed consent, if done appropriately, can mitigate these issues • GDPR has only expanded awareness of privacy
  20. 20. “Don’t take away my proxy server!” • Controlling the proxy, means controlling the data and the services. Passing that to IT is scary. • Integration of RA21 into existing technology services stack will help.
  21. 21. ”The Proxy is a Firewall for Identity” -- Cody Hanson (U. MN Library) • “We control the server, we control the logs” • The proxy server protects the user’s identity by masking it via the authentication system, based on the network one is one, rather than who a person is • It is NOT the case that these data don’t exist • SAML could do the same thing, through different means – the use of pseudonymous IDs
  22. 22. SAML Privacy Protecting or Not? • SAML has a variety of use cases –For example, SAML is used for authenticating course management systems, which require detailed information about the user to be shared • That does not mean that all (or even any) attributes need to be shared
  23. 23. Draft RA21 Attribute Release and Privacy Recommendations 2 3 Limitations on attribute release. Release as little data as possible – Pseudonymous token with affiliation data. IF THERE IS CONSENT BY THE USER, additional attribute release may be permitted. Although, this is may also governed by institutional data-use policies. Institutions control data attribute release. Adoption of REFEDS Attribute Release and Privacy Policy. Developed by identity management community and institutional representatives. (Note current version (V.1) is out of date because it predates GDPR, but the expectation is that V.2 will be adopted by RA21 once it is finalized.) Legal requirements based on GDPR. Something which most content providers are using as a basis for their data use and reuse practices. Key difference and objection between GDPR and NISO Privacy Principles are the audit requirement. 1 2 3
  24. 24. FUD
  25. 25. CRITICISM OF RA21 • “SciHub is a motivator of RA21” Yes, but… it is not the only motivator. • This project began with outreach from LIBRARIES! • There are a variety of reasons why libraries would like to improve access control • Evil twins? Come on….
  26. 26. MORE CRITICISM OF RA21 • “The only type of access libraries should care about is Open Access” • Open Access is not the end-all be-all of library access control issues. – First, even if every journal article were OA, not all content provided by libraries will be freely available – A variety of services libraries provide still need authentication, regardless of whether they’re free or not – To presume that RA21 is a fight against open access is to have a very narrow and dim view of what libraries do and provide.
  27. 27. EVEN MORE CRITICISM OF RA21 • “RA21 is a nefarious plot by publishers to hoover up all sorts of user data.” – First, SAML data released by identity federations is under the control of institutions, who can set limits on what data is released or not, it is NOT controlled by publishers – Second, RA21 will only be storing user preference information about which IDP to pass credentials – NOT the credentials themselves – Finally, if they wanted, publishers could use other methods to track user behavior, but are often limited by contracts and laws.
  28. 28. RA21 and the future of authentication The last system, the one you know and have used for years will always be perceived as better, because you know the flaws and have built workarounds to address them. The known knowns are easier than the unknown issues caused by change.
  29. 29. Demands of the library community • Dual Stack solution – This can’t move too quickly –Not every library has the same resources, the same skills, nor the motivation to move first. • Broad adoption from publishers is necessary to motivate libraries. • Single solution, not multiple approaches • Support from vendor community to turn to when there are questions or implementation needs
  30. 30. RA21 and the future of authentication • There is an adopted infrastructure that RA21 is built upon • Institutions have years of experience working with it • SAML-based identity is demonstrably better than IP
  31. 31. So what is RA21 exactly?
  32. 32. Four Elements of RA21 • A default discovery service of identity providers based on eduGAIN metadata • A browser-based storage of user’s identity provider preference • A centralized JavaScript service to create a login button • Guidance on service provider use of the login button (UX) and on attribute release policies
  33. 33. User Experience
  34. 34. UX Recommendation Building Blocks 3 4 Consistent visual cue and call to action signals institutional access Flexible and smart search • Search by institution name, abbreviation or email • Typeahead matching and URL Remembered institution on next access 1 2 3
  35. 35. RA21 UX Goals 3 5 A user only encounters a discovery process once (per browser). The user’s institution is persisted in browser local storage and subsequently rendered in the RA21 button across all participating publishers. 1 2
  36. 36. Live Demo
  37. 37. RA21 Roadmap 4 1 Now through Q1 2019 • Finalize user experience • Finalize draft Recommendations • Draft release & public comment through NISO Recommended Practice public review process Through End Q2 2019 • Establish governance structure for central infrastructure and enable the service • Approval and Publishing of NISO RA21 RP Second half of 2019 • RA21 Central Services launched • Publishers begin to deploy RA21 on their sites Ongoing Community Outreach, Education, & Adoption Support
  38. 38. Implementation: Roll-out Strategy •Initial focus will be on adopting RA21 recommendations as broadly as possible as a supplement to IP for remote access (off campus) •Also suggested as the primary/only access method for organizations that can’t use IP (e.g. corporate customers using cloud ISPs such as zScaler 4 2 • This will allow us to monitor and measure success rates through the CTA and discovery progress • And build a case for RA21 as the primary access method for all customers
  39. 39. Want to get involved? •Visit: •Everyone: Register your interest in participation by emailing: Julie Wallace: and Heather Flanigan:
  40. 40. THANK YOU! Todd Carpenter @TAC_NISO