Carpenter Introduction to RA21
Download as PPTX, PDF1 like361 views
The document presents an introduction to RA21, a project aimed at enhancing the user experience for off-campus access to academic resources by improving login processes and protecting privacy. It details various pilot programs, including the Privacy Preserving Persistent WAYF Pilot, and addresses security and privacy recommendations essential for implementation. Additionally, it discusses criticisms of RA21 concerning open access and library access control issues while encouraging participation and providing contact information for further engagement.
Carpenter Introduction to RA21
- 1. An Introduction to RA21 Todd Carpenter, Executive Director National Information Standards Organization (NISO) NISO Update ALA Annual Conference June 23, 2018
- 2. Behind the scenes: Does the user have access rights? Yes or No? Do you have a login? Yes or No? Where are you from? ??????
- 3. And patrons are just getting annoyed
- 5. RA21 wants to build on the user experience of the wider web
- 6. Make the login experience match the user experience we’re all familiar with Private Experience Target Institutional Experience
- 7. How SAML Can Protect Privacy Publishers receive attributes about the user, not the user’s identity.
- 8. RA21 Pilots • Corporate Pilot (Universal Resrource Access “URA”) •Two Academic Pilots – Privacy Preserving Persistent WAYF Pilot – WAYF Cloud Pilot All seek to address the User Experience for off-campus access
- 9. Initial Privacy Review of RA21 Pilots SECURITY & PRIVACY RECOMMENDATIONS Cloud WAYF P3W Privacy Policy Requirements √ √ Data Protection Impact Analysis Required √ √ Data Retention Policy Required √ Denial of Service Protection √ Browser security (https + access controls) implementations √ √ Database/data protection best practices √ Server hardening - for security threats √ √ Code Scanning - for security threats √ √ Vulnerability Scanning/Penetration Testing √ √ API security protocols √ Audit Logging and review √ Security Monitoring √ Incident Response Plan √ High Availability Infrastructure requirements √ √ Anti-virus software monitoring √ √ GDPR compliance concerns √
- 10. Privacy Preserving Persistent (P3) WAYF Pilot •Pilot goals – To improve current Shibboleth Identity Provider discovery process • Incorporate additional “WAYF hints” such as email domain and IP address into federation metadata • Improve sign-in flow using those WAYF hints via a shared discovery service • Populate shared discovery service hints from the Service Providers regarding what Identity Providers are likely to work in an authorization scenario • Enable cross-provider persistence of WAYF choice using browser local storage •Pilot participants (confirmed so far) Project Management GÉANT Educational Access Management Federations Sunet & SWAMiD (Swedish Federation) The samlbits.org project eduGAIN EduServ Publishers Elsevier American Chemical Society Subscribing institutions MIT University of California, Davis University of Arizona (tbc) University of Denver (tbc) Service Providers ProQuest Ping LibLynx Ebsco
- 11. Preserving Privacy Built upon ”SAML-BITS” technology in production Technique Challenge Only domain part of email address needs to be transmitted from browser to publisher platform to select IDP Need to define and test a standardized UI that makes this clear to users IdP preference is stored locally in the browser, retrieved using centrally served javascript, not on a central server Need to adapt Account Choose mechanism to support SAML IdPs vs OpenID Connect Authorization Servers
- 12. CRITICISM OF RA21 • Yes, SciHub is a motivator of RA21, but not the only motivator. • This project began with outreach from LIBRARIES! • There are a variety of reasons why libraries would like to improve access control • Evil twins? Come on….
- 13. MORE CRITICISM OF RA21 • Open Access is not the end-all be-all of library access control issues. – First, even if every journal article were OA, not all content provided by libraries will be freely available – Second, a variety of the services that libraries provide will still need authentication, regardless of whether they are free or not – To presume that RA21 is a fight against open access is to have a very narrow and dim view of what libraries do and provide.
- 14. Google CASA Project (Campus Activated Subscriber Access) • Outside of the scope or RA21, but attempting to address similar questions • Led by Google Scholar team with several publisher vendor partners • Based on Google user-behavior analysis and cloud data to navigate user to identity provider • Core question: If you don’t trust RA21’s privacy protections, do you trust Google to protect privacy of patrons more than publishers/IdPs?
- 16. Want to get involved? •Visit: https://www.RA21.org •Mailing lists: –P3W community list: https://lists.refeds.org/sympa/subscribe/p3w- community –WAYF Cloud community list: TBD •Everyone: Register your interest in participation by emailing: Julie Wallace: Julia@RA21.org and Heather Flanigan: Heather@RA21.org
Editor's Notes
- #9: So what are the pilots you ask? We have a Corporate Pilot as well as two academic pilots: The P3W pilot - Privacy Preserving Persistent WAYF Pilot - quite the tongue twister And the WAYF Cloud pilot All seek to address the experience of access outside an institute and to streamline the UX – the user experience – in order to have a similar experience throughout – users do not like to be confronted again and again with new interfaces to master. So following this bit of context for an introduction, we can now go into a bit of detail on the pilots themselves.
- #10: Two privacy a
- #11: So onto the first of the Academic pilots: the Privacy Preserving Persistent (P3) WAYF Pilot. There are several important things we are trying to investigate in this pilot: All pilots are addressing the UX in one way or another – If we don’t streamline the UX for authentication, we won’t get endusers to adopt the solution We want to make sure the identity provider discovery is consistent; we have a multiple of science providers participating – the idea is if an enduser selects your identity with one; they won’t have to repeat for the others; but this sharing of information creates a privacy problem, thus we aim for cross-provider persistence of WAYF choice using browser local storage. There is a rather large set of folks collaborating on this; originally two pilots combined. It is managed by Geant, and has participation of several access management Federations, Sunet, EduServ are two examples, as well as publishers and subscribing institutions MIT UC Davis, and many well known service providers: ProQuest, LibLynx, Ebsco
- #12: So to recap – the P3WAYF pilot would like to make clear to users they only require the domain part of their email (some UX challenges there, but we will solve it), and that their IdP preference is stored locally in the browser, retrieved using centrally served javascript, not on central server.
- #17: Thank you for your kind attention. We would love to have you involved with any of the pilots. While we currently have a lot of active leadership and participation from the US and UK, we are actively seeking greater involvement from Europe and Australasia. There are a couple of ways you can register your interest: Through our mailing list, or emailing our project leaders directly. We are also happy to answer any questions off line, or connect with me directly Ann Gabriel a.gabriel@Elsevier.com