Thursday 16th May 2019
Update: the final RA21 recommended practices were published on 21 June 2019.
Why are the guidelines needed?
Today’s library users have become increasingly frustrated with getting access to the content they need for work or study. Gone are the days when people only accessed content from a physical location such as a desktop in a university library. Mobile devices have changed all that and the expectation is that information can be accessed anytime, anywhere and from any device.
Researchers are currently confronted with a confusing range of access options to choose from, leading them to give up and go to pirate websites for easier access. This isn’t good for the publisher, the library or the user as our conference panel session on piracy discussed. But piracy should not be the main concern here. First and foremost, we all need to work together to give library users the online experience they expect and deserve. After all these are the very people we provide our services for.
Towards the end of 2016, RA21 conducted an assessment of the different remote access methods and concluded that federated single sign-on was the most robust and scalable solution. However, its implementation on publisher and library platforms has so far been very poor and more work is needed to improve the organisation discovery experience so that library users can easily login.
The RA21 recommended practices are the first attempt by the information industry to improve library users login experience since NISO published its’ ESPReSSO: Establishing Suggested Practices Regarding Single Sign-On in 2009 which very few publishers chose to adopt. We hope these new guidelines will have more impact now that piracy is a very real threat to publishers’ business revenue.
What are RA21’s key recommendations?
1.Adopt federated single sign-on
Federated single sign-on enables library users to access their home organisation’s subscriptions with the same credentials they use to access their email, online learning platform, and other services. The secure exchange of encrypted user attribute data between the user’s organisation and publishers all takes place within an identity federation such as the OpenAthens Federation, InCommon federation and the UK Access Management federation.
Federated single sign-on provides a simple and consistent way for users to access content, whilst preserving their privacy through the use of attribute information stored in an organisation’s user directory. Watch our short animation to see how it works in practice.
Attribute data is inherent to federated single sign-on services and gives libraries more granular access control over which online resources a library user is entitled to access.
2.Establish identity federations where they do not exist
RA21 recommend the widespread adoption of federated single sign-on beyond the education and research community to corporate and other sectors via the trust network provided by identity federations. Also, more needs to be done within an organisation to extend federated identity to all departments and services so they can benefit fully.
The OpenAthens Federation is unique in that it is the only federation in the world that accepts organisations from any country or sector. It already supports a wide range of customers from government, defence, healthcare, pharmaceutical and corporate sectors and has helped publishers increase the return on their investment on infrastructure originally put in place for the academic and research communities. These efficiencies are generally passed on to their customers as no additional connection work is required.
If you’re not sure your country supports an identity federation, check the full list on the REFEDS website.
3.Ensure user privacy
A key principle of the GDPR and GEANT code of conduct is to ensure that the minimal amount of information about a user is exchanged with a publisher or other service provider. Publishers must also not collect or store user data and delete or anonymise attributes as soon as they’re no longer necessary for providing a service.
It is the responsibility of an individual’s home organisation to ensure user data is properly protected and personally identifiable information should never be required by a publisher for services such as for personalisation.
In most cases however, the use of opaque attributes such as eduPersonScopedAffiliation and eduPersonTargetedID are sufficient to ensure user access to content. Have a listen to our webinar on preserving user privacy to find out more.
4.Improve the user experience
This is the most important and detailed section of the RA21 recommended practices. Publishers need to take a holistic view of users’ journey to content, from discovery to access. There are four key actions publishers need to take:
This section focuses on the importance of user-centred design, consistent terminology and the use of an organisation discovery service.
5.Establish a central organisation discovery service
A central organisation discovery service or WAYF (Where Are You From) is recommended in the guidance and is something RA21 plan to develop and run as a service.
OpenAthens Wayfinder is a free organisation discovery service that was developed in parallel to the RA21 pilots using agile methods and user-centred design. It is available as a hosted service or as a component that can be embedded in any publisher website. We’ll continue to develop Wayfinder alongside RA21 recommended practices and changing user needs.
A simple search enables users to easily find their home organisation so they can login to all the resources their organisation subscribes to, whilst preserving user privacy.
A user’s search will automatically cover all federations that the publisher is a member of without the user needing to be aware of them.
Wayfinder remembers the user’s last login choice and can also ‘forget’ any organisations users no longer belong to, creating an even easier user journey.
Sub-domains for distributed organisations such as the UK National Health Service and the Department for Veteran Affairs can also be displayed and there is an option to add non-federated organisations too.
6.Improve metadata quality and apply consistent standards
RA21 recommends that organisations and federation operators follow best practice in configuring their federation metadata so their brands, icons etc are presented consistently in different interfaces. Examples include:
7.Set session timeout periods
RA21 recommend that session timeouts for access to scholarly content is mapped to a typical users’ work period eg. 10 hours, and for account administrators this is restricted to 15 – 30 minutes, depending on the organisation’s information security and risk management policies.
What’s the future?
The members of RA21, which now has representation from a number of librarians as well as publishers, see federated single sign-on as the predominant access technology now and in the near future. Whilst recognising that emerging technologies such as OpenID Connect may become more established, the recommendations are expected to remain relevant to any future shifts in technology. Key principles outlined by RA21 around privacy, security and user experience will also continue to be an important consideration for anyone providing information services.
But nothing will change unless publishers engage with the very real issues that libraries and their users are experiencing. Much wider adoption of federated single sign-on is also needed by the information industry across different sectors and countries.
If ever there was a time for publishers to act to improve the user experience, it is here and now.
Share this article