Top Banner
An Update on RA21 Todd Carpenter (NISO) Robert Kelshian (American University Library) Don Hamparian (OCLC) RA21 Steering Committee ER&L Conference March 5, 2018
45

An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Apr 01, 2018

Download

Documents

vukiet
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

An Update on RA21Todd Carpenter (NISO)

Robert Kelshian (American University Library)

Don Hamparian (OCLC)

RA21 Steering Committee

ER&L Conference

March 5, 2018

Page 2: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

IP -Address Authentication

Page 3: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

It worked well in this environment

Page 4: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Until, people began connecting from everywhere

Page 5: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

IP Address Authentication

FAIL!!!

Page 6: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Credit card processing

Excuse me. To process this payment you need to tell me: What is they payment processing clearinghouse your bank uses?

Page 7: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Behind the scenes:

Does the user have

access rights?

Yes or No?

Do you have a login?

Yes or No?

Where are you from?

??????

Page 8: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

And patrons are just getting annoyed

Page 9: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...
Page 10: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

RA21 wants to build on the user experience of the wider web

Page 11: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Make the login experience match the user experience we’re all familiar with

Private Experience Target Institutional Experience

Page 12: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

How SAML Can Protect PrivacyPublishers receive

attributes about the

user, not the user’s

identity.

Page 13: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

RA21 Principles: Improve User Experience

•From any location on any device

•Beginning from any entrance point

•Ending with the desired content

•With a consistent user interface

•With greater privacy, security and personalization

Page 14: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

RA21 Principles: It must be open

•The solution can not be proprietary

•The solution should be (reasonably) easy to implement

•The solution must be vendor neutral

•Should not create tremendous amounts of new work, implementation cost, or ongoing maintenance.

•Should allow for gradual implementation

Page 15: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

RA21 Pilots

• Corporate Pilot (Universal Resrource Access “URA”)

• Two Academic Pilots– Privacy Preserving Persistent WAYF Pilot

– WAYF Cloud Pilot

• All seek to address the User Experience for off-campus access

Page 16: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Privacy Preserving Persistent (P3) WAYF Pilot

•Pilot goals– To improve current Shibboleth Identity Provider discovery process

• Incorporate additional “WAYF hints” such as email domain and IP address into federation metadata

• Improve sign-in flow using those WAYF hints via a shared discovery service• Populate shared discovery service hints from the Service Providers regarding

what Identity Providers are likely to work in an authorization scenario• Enable cross-provider persistence of WAYF choice using browser local storage

•Pilot participants (confirmed so far)

Project Management

GÉANT

Educational Access Management Federations

Sunet & SWAMiD (Swedish Federation)

The samlbits.org project

eduGAIN

EduServ

Publishers

Elsevier

American Chemical Society

Subscribing institutions

MIT

University of California, Davis

University of Arizona (tbc)

University of Florida (tbc)

University of Denver (tbc)

Service Providers

ProQuest

Ping

LibLynx

Ebsco

Page 17: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Preserving Privacy

Built upon ”SAML-BITS”

technology in production

Technique Challenge

Only domain part of email

address needs to be

transmitted from browser

to publisher platform to

select IDP

Need to define and test a

standardized UI that

makes this clear to users

IdP preference is stored

locally in the browser,

retrieved using centrally

served javascript, not on a

central server

Need to adapt Account

Choose mechanism to

support SAML IdPs vs

OpenID Connect

Authorization Servers

Page 18: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

WAYF Cloud Pilot

• Goal– Seamless Access as close to IP Authentication as possible

– Eliminate steps which users have to repeat at every publisher

– Support for remote access

• Methodology– Leverage existing organizational systems/protocols for user authentication

– Look to form a potential industry standard for WAYF data exchange- Data Format- Modern Interface Specification

– Create an infrastructure for sharing WAYF data amongst publishers. The WAYF Cloud software

- embrace OpenSource Software development- easy integration points with service provider platforms

– User Interface - Reference design

Page 19: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

What is the WAYF Cloud?

What is it?• Data Format Definition

• Data Access Interface Specification

• Software Component (Free/Opensource)

What does it do?• Allows publishers to exchange information

with each other

publisher

platform

publisher

platform

publisher

platform

publisher

platform

publisher

platform

WAYF Cloud

Page 20: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

WAYF Cloud Components• WAYF Cloud Widget:

Transfers the unique identifier of the device in the domain of the service providerService provider simply incorporates the WAYF Widget URL into relevant HTML pages

• WAYF Cloud API Interface used by the service providers to Create, Discover, Share and keep up to date a user's WAYF history

• WAYF Cloud Centralized service that assigns a global ID to the device and maintains the relationships with the local IDs

– The global ID is stored at the device in the form of a cookie and its carried in all requests made by this device (i.e web browser) to the WAYF Cloud server.

– Uses the information provided by the WAYF Widget to build relationships between a user's global ID and the different local IDs used by the different service providers for this device

– The relationship enables the seamless user experience

Page 21: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

WAYF Cloud Sandbox & Demohttps://wayf-cloud-sandbox.literatumonline.com

Page 22: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

6 Commonly Held Misconceptions About RA21

• https://scholarlykitchen.sspnet.org/2018/02/07/myth-busting-five-commonly-held-misconceptions-ra21/

Page 23: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

MYTH 1:

IP AUTHENTICATION IS INHERENTLY PRIVACY PRESERVING WHILE

FEDERATED AUTHENTICATION TECHNOLOGIES ARE NOT

BUSTED

Page 24: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

MYTH 2:

PROXY SERVERS WORK JUST FINE AS A SOLUTION FOR OFF-CAMPUS ACCESS

BUSTED

Page 25: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

MYTH 3:

RA21 JUST WANTS TO ENABLE PUBLISHERS TO TRACK USERS ACROSS

EACH OTHER’S PLATFORMS

BUSTED

Page 26: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

MYTH 4:

RA21 CREATES YET ANOTHER USERNAME AND PASSWORD

BUSTED

Page 27: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

MYTH 5:

RA21 IS PLACING CONTROL OF USERS’ IDENTITY IN THE HANDS OF

INSTITUTIONS AND NOT THE INDIVIDUALS THEMSELVES

PLAUSIBLE

Page 28: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

MYTH 6:

RA21 SEEKS TO ELIMINATE IP-BASED ACCESS

CONFIRMED

Page 29: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...
Page 30: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Want to get involved?

• Visit: https://www.RA21.org

• Mailing lists:–P3W community list: https://lists.refeds.org/sympa/subscribe/p3w-

community

–WAYF Cloud community list: TBD

• Everyone: Register your interest in participation by emailing: Julie Wallace: [email protected] and Heather Flanigan: [email protected]

Page 31: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

One Person’s Perspective at One Academic Library

• What’s the problem that needs solving?

– I know through turnaway stats what users want that I don’t have.

– I don’t know how often users can’t get to what I do have.

– I don’t know every user’s background, experience, and how they

navigate.

– Am I getting full value for my licensed resource money if experience

shows me that access is a problem?

Page 32: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Changes in user behavior and populations

• Changes in how and who is accessing what:

– Large percentage of access is happening from off-campus.

– Increase in number of online programs with populations who may

never receive library instruction.

– Fewer opportunities to find out what I don’t know.

• Increasing number of students with whom we never have

contact.

• Tendency toward judging how user’s navigate

– What do you mean they don’t go through the library website?

Page 33: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Security and Privacy

• Using Shibboleth as a front layer to EZproxy has worked well for us.

– Still counting on user’s to navigate through the website.

• We care a lot about privacy. Maybe more than our users do.

• Both academic pilots for RA21 have emphasized user privacy as a

priority for the project. However, in a SAML-based environment the

home institution controls which attributes are released.

• Has to be easy to implement to make it a viable option.

Page 34: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

My experience with RA21

• An alternative to IP-based authentication is coming at some point, whether it’s developed by libraries, publishers, or other entities -this process should be about choice.

• Today’s solutions shouldn’t be abandoned at the expense of tomorrow’s problems. Development will likely be iterative and refined.

• Valid concerns about user information that publishers might gain access to, but libraries increasingly want access to more user information as well.

• I want something better than what I have today.

Page 35: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Contact:

Rob Kelshian

Director of Access Services

American University Library

[email protected]

Thanks!

Page 36: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

EZproxy and RA21

Don Hamparian

Senior Product Manager, EZproxy and Identity Management,

OCLC

March 2018

Page 37: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

Who has experience with:

Using EZproxy to access

licensed content?

Administrating EZproxy?

Before this panel, who

knew what:

The RA21 Initiative is?

A Quick Show of Hands

https://pixabay.com/en/volunteer-hands-help-colors-2055015/

At your institution:

Does your institution have a

SAML-based Authentication

system (Shibboleth or CAS)?

Are your library systems

integrated?

Page 38: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• EZproxy support for standard

specifications from RA21

• EZproxy enhancements for

security features for IP

authentication

• Compatibility with RA21 SSO

schemes and traditional IP

authentication

• Improving our database

configuration process

EZproxy and RA21 – OCLC’s Commitment

Page 39: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• 23,000 institutions configured and running

• Used for WorldShare Services (ILL, Record Manager,

WMS, Tipasa)

• Interoperable with EZproxy

• Shibboleth-based

• Interoperates in a number of identity federations

• Will track RA21 standards

OCLC’s SSO Identity Management

Infrastructure

Page 40: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• EZproxy will be there for IP authentication into

the future

• New functionality for EZproxy for security

management

• EZproxy will support mixed mode SSO and IP

authentication

EZproxy & IP Authentication

Page 41: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• Most common problem (by far) is compromised

credentials at the institution

• EZproxy is not “hacked”

• Four-part strategy to secure access

– Protect & Prepare (Proper configuration)

– Detect and close compromised credentials

– Educate (Provider, Institution Admin, Users)

– Collaborate (OCLC, Institution, Provider)

Securing EZproxy Today

Page 42: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• Password Policies

– Biggest opportunity – get this done and EZproxy provides a secure

content access path

– Require hard-to-guess passwords

– Consider Multifactor Authentication (MFA)

• Commit resources for EZproxy server management

• Exercise detection process before publisher calls you

Institution Best Practices – Protect & Prepare

Page 43: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• Keep your evidence (configure log / audit files with data

you need) and back them up

• Use SSL for authentication and content access where

possible

• Keep server OS upgraded

• Install the current version of EZproxy

• Keep your system time correct

Institution Best Practices – Protect & Prepare

Page 44: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• Improve education (staff & patron)

• Improve technology

• Improve support of our mutual customers

• Use OCLC Support Site & Community Center

• Your ideas?

Educate & CollaborateInvolving Publishers, OCLC, Libraries

https://www.flickr.com/photos/quinnany

a/111201180

Page 45: An Update on RA21 - schd.ws Access Made Easy.pdf · Software Component (Free/Opensource) What does it do? ...

• EZproxy Support Site:

https://www.oclc.org/support/services/ezproxy.en.html

• Managing your EZproxy: https://www.oclc.org/support/services/ezproxy/documentation/manage.en.html

• Securing your server: https://www.oclc.org/support/services/ezproxy/documentation/example/securing.en.html

• EZproxy - Publisher Support Page: https://www.oclc.org/support/services/ezproxy/contentproviders.en.html

• OCLC Partners Page (Publishers): http://www.oclc.org/en/partnerships.html

• RA21 Initiative: https://ra21.org/

References

http://www.clker.com/clipart-13969.html