Todd Carpenter, executive director, National Information Standards Organization. The RA21 Project has been working for the past two years to improve the user experience of access to subscribed resources. After having reviewed some initial pilot technologies, RA21 is ready to roll out its recommended practice and launch an ongoing service to support user identity management and individual access to content. The project is now entering a new phase, in which interested parties will form a consortium to provide ongoing maintenance, outreach support, and governance to the effort moving forward. Todd discusses what RA21 has accomplished, demonstrate the service, and provide an update on what is next for RA21.

1. Creating a Seamless User Experience
Todd Carpenter, Executive Director, National Information Standards Organization (NISO)
OpenAthens Conference
March 19, 2019

2. Some Brief Context About RA21
and Authentication in Libraries

3. IP -Address Authentication

4. Implemented when your OS looked like this

5. It worked well in this environment

6. Until, people began connecting
from everywhere

7. Until, people began connecting
via different devices

8. IP Address Authentication
FAIL!!!

9. What do users want?
• Seamless access to content.
• Seamless access to content.
• Seamless access to content.
– (“OK, Privacy is nice. Security, I guess.
Customization is fine. One password, please.
And did I mention seamless?”)

10. The Promise of Single-Sign-On
• Reduces user sign-on requests and streamlines
online access to resources
• Central identity management and provision
• Single user interface for accessing many services
• Single point of contact for service providers
• Reduces IT help-desk calls regrading credentials
• Limits phishing and unauthorized access

11. Institutions using SAML for years
• OpenAthens in the UK started in 1999
• Shibboleth project was started in 2000, launched
as a service in 2003
• EduRoam initiative started in 2002.

12. Long worked to improve SSO for users

13. And yet, the reality of SSO today
• No common language that makes sense to users
• No common user interface
• No common user experience
• Continuing WAYF problem
• No consistency in attribute release

14. And users are just getting annoyed

15. The IT reality for most libraries!
• IT and identity management is not run out of the
library and doesn’t often report through the same
structures
• IT establishes norms and best practices that are not
always in keeping with library values, especially
privacy

16. Interactions between the library and
campus IT need to improve
Amy Pawlowski and Mark Beadles (OhioLink) Authentication and Access of Licensed Content in Ohio: A Summary

17. RA21 will require greater interactions
between libraries and IT
And this should be viewed as a good thing.

18. Privacy

19. Expectations of Privacy
• Librarians have an ethical, and often a legal duty to
protect the privacy of the users that they serve,
regardless of whether that user cares about it
• Data gathering should be minimal, and as
anonymous as possible.
• Informed consent, if done appropriately, can
mitigate these issues
• GDPR has only expanded awareness of privacy

20. “Don’t take away my proxy server!”
• Controlling the proxy, means controlling the data
and the services. Passing that to IT is scary.
• Integration of RA21 into existing technology
services stack will help.

21. ”The Proxy is a Firewall for Identity”
-- Cody Hanson (U. MN Library)
• “We control the server, we control the logs”
• The proxy server protects the user’s identity by
masking it via the authentication system, based on
the network one is one, rather than who a person is
• It is NOT the case that these data don’t exist
• SAML could do the same thing, through different
means – the use of pseudonymous IDs

22. SAML Privacy Protecting or Not?
• SAML has a variety of use cases
–For example, SAML is used for authenticating
course management systems, which require
detailed information about the user to be
shared
• That does not mean that all (or even any)
attributes need to be shared

23. Draft RA21 Attribute Release and Privacy
Recommendations
2
3
Limitations on attribute
release. Release as
little data as possible –
Pseudonymous token
with affiliation data.
IF THERE IS
CONSENT BY THE
USER, additional
attribute release may be
permitted. Although, this
is may also governed by
institutional data-use
policies.
Institutions control
data attribute release.
Adoption of REFEDS
Attribute Release and
Privacy Policy.
Developed by identity
management community and
institutional representatives.
(Note current version (V.1) is
out of date because it
predates GDPR, but the
expectation is that V.2 will be
adopted by RA21 once it is
finalized.)
Legal requirements based
on GDPR.
Something which most
content providers are using
as a basis for their data use
and reuse practices.
Key difference and objection
between GDPR and NISO
Privacy Principles are the
audit requirement.
1 2 3

24. FUD

25. CRITICISM OF RA21
• “SciHub is a motivator of RA21”
Yes, but… it is not the only motivator.
• This project began with outreach from LIBRARIES!
• There are a variety of
reasons why libraries
would like to improve
access control
• Evil twins? Come on….

26. MORE CRITICISM OF RA21
• “The only type of access libraries should care about
is Open Access”
• Open Access is not the end-all be-all of library access
control issues.
– First, even if every journal article were OA, not
all content provided by libraries will be freely available
– A variety of services libraries provide still need
authentication, regardless of whether they’re free or not
– To presume that RA21 is a fight against open access is
to have a very narrow and dim view of what libraries do
and provide.

27. EVEN MORE CRITICISM OF RA21
• “RA21 is a nefarious plot by publishers to hoover
up all sorts of user data.”
– First, SAML data released by identity federations is under the
control of institutions, who can set limits on what data is
released or not, it is NOT controlled by publishers
– Second, RA21 will only be storing user preference information
about which IDP to pass credentials – NOT the credentials
themselves
– Finally, if they wanted, publishers could use other methods to
track user behavior, but are often limited by contracts and laws.

28. RA21 and the future of authentication
The last system, the one you know and have
used for years will always be perceived as
better, because you know the flaws and have
built workarounds to address them.
The known knowns are easier than the
unknown issues caused by change.

29. Demands of the library community
• Dual Stack solution – This can’t move too quickly
–Not every library has the same resources, the
same skills, nor the motivation to move first.
• Broad adoption from publishers is necessary to
motivate libraries.
• Single solution, not multiple approaches
• Support from vendor community to turn to when
there are questions or implementation needs

30. RA21 and the future of authentication
• There is an adopted infrastructure that
RA21 is built upon
• Institutions have years of experience
working with it
• SAML-based identity is demonstrably
better than IP

31. So what is RA21 exactly?

32. Four Elements of RA21
• A default discovery service of identity providers
based on eduGAIN metadata
• A browser-based storage of user’s identity
provider preference
• A centralized JavaScript service to create a login
button
• Guidance on service provider use of the login
button (UX) and on attribute release policies

33. User Experience

34. UX Recommendation Building Blocks
3
4
Consistent visual cue
and call to action
signals institutional
access
Flexible and smart search
• Search by institution name,
abbreviation or email
• Typeahead matching and URL
Remembered institution
on next access
1 2 3

35. RA21 UX Goals
3
5
A user only encounters
a discovery process
once (per browser).
The user’s institution is
persisted in browser local
storage and subsequently
rendered in the RA21 button
across all participating
publishers.
1 2

36. Live Demo

41. RA21 Roadmap
4
1
Now through
Q1 2019
• Finalize user
experience
• Finalize draft
Recommendations
• Draft release &
public comment
through NISO
Recommended
Practice public
review process
Through End
Q2 2019
• Establish
governance
structure for
central
infrastructure
and enable the
service
• Approval and
Publishing of
NISO RA21 RP
Second half
of 2019
• RA21 Central
Services
launched
• Publishers
begin to deploy
RA21 on their
sites
Ongoing Community Outreach, Education, & Adoption Support

42. Implementation: Roll-out Strategy
•Initial focus will be on
adopting RA21
recommendations as broadly
as possible as a supplement
to IP for remote access (off
campus)
•Also suggested as the
primary/only access method
for organizations that can’t
use IP (e.g. corporate
customers using cloud ISPs
such as zScaler
4
2
• This will allow us to
monitor and measure
success rates through
the CTA and discovery
progress
• And build a case for
RA21 as the primary
access method for all
customers

43. Want to get involved?
•Visit: https://www.RA21.org
•Everyone: Register your interest in participation by emailing:
Julie Wallace: Julia@RA21.org and
Heather Flanigan: Heather@RA21.org

44. THANK YOU!
Todd Carpenter
@TAC_NISO
tcarpenter@niso.org