Our response to draft RA21 recommendations

Improving access to institutionally-provided content

We welcome the draft RA21 ‘Recommended practices for improved access to institutionally-provided information resources’. The document is out for public comment until Friday 17 May 2019. The new RA21 recommendations are the result of a two year Resource Access in the 21st Century (RA21) project. The project aimed to facilitate a seamless user experience for access to online resources.  

Update: the final RA21 recommended practices were published on 21 June 2019.

Why are the guidelines needed? 

Today’s library users have become increasingly frustrated with getting access to the content they need for work or study. Gone are the days when people only accessed content from a physical location, such as desktops in a university library. Mobile devices have changed all that. Users expect to access information anytime, anywhere and from any device. 

Researchers currently choose from a confusing range of access options. This leads them to give up and go to pirate websites for easier access. This isn’t good for the publisher, the library or the user as our conference panel session on piracy discussed. But piracy should not be the main concern here. First and foremost, we all need to work together to give library users the online experience they expect and deserve. After all, these are the very people we provide our services for. 

Towards the end of 2016, RA21 conducted an assessment of the different remote access methods. They concluded that federated single sign-on was the most robust and scalable solution. However, its implementation on publisher and library platforms has so far been very poor. More work is needed to improve the organization discovery experience so that library users can easily login. 

The RA21 recommendations are the first attempt by the information industry to improve library users login experience since 2009. Previously, NISO published its’ ESPReSSO: Establishing Suggested Practices Regarding Single Sign-On which very few publishers chose to adopt. We hope these new RA21 recommendations will have more impact now that Piracy is a very real threat to publishers’ business revenue. 

What are the key RA21 recommendations? 

1. Adopt federated single sign-on 

Federated single sign-on enables library users to access their home organization’s subscriptions with the same credentials they use for email, online learning platforms, and other services. The secure exchange of encrypted user attribute data between the user’s organization and publishers all takes place within an identity federation such as the OpenAthens Federation, InCommon federation and the UK Access Management federation. 

This access method provides a simple and consistent way for users to access content. At the same time, it also preserves users' privacy by storing attribute information in an organization’s user directory. Watch our short animation to see how it works in practice. 

Attribute data is inherent to federated single sign-on services. It gives libraries more granular access control over library user access entitlements to online resources.  

2. Establish identity federations where they do not exist  

RA21 recommend the widespread adoption of federated single sign-on beyond the education and research community to corporate and other sectors. The trust network provided by identity federations makes this possible. More can be done within an organization to extend federated identity to all departments and services so they can benefit. 

The OpenAthens Federation is unique. It is only federation in the world that accepts organizations from any country or sector. It already supports a wide range of customers from government, defence, healthcare, pharmaceutical and corporate sectors. We've helped publishers increase their return on their investment on infrastructure originally put in place for academic and research communities. We pass these efficiencies onto our customers because no additional connection work is required.  

If you’re not sure your country supports an identity federation, check the full list on the REFEDS website. 

3. Ensure user privacy 

RA21 recently endorsed the GEANT Data Protection Code of Conduct. We expect an updated version to follow the European Union’s more stringent General Data Protection Regulations (GDPR).  

A key principle of the GDPR and GEANT code of conduct is to ensure the smallest amount of user information is exchanged with a publisher or service provider. Publishers must also not collect or store user data. They must also delete or anonymize attributes as soon as they’re no longer necessary for providing a service. 

An individual’s home organization must properly protect user data. And they may also ensure that personally identifiable information is never required by a publisher for personalization services. 

In most cases, opaque attributes such as eduPersonScopedAffiliation and eduPersonTargetedID are sufficient to ensure user access to content. Have a listen to our webinar on preserving user privacy to find out more. 

4. Improve the user experience 

This is the most important and detailed section of the RA21 recommendations. Publishers need to take a holistic view of users’ journey to content, from discovery to access. There are four key actions publishers need to take: 

1. Display a new common login button for federated single sign-on 
2. Present all login choices in the same location and in hierarchical order 
3. Place the new login button in a location that doesn’t require the user to scroll. 
4. Remember a user’s last login choice. 

This section focuses on the importance of user-centred design, consistent terminology and the use of an organization discovery service. 

5. Establish a central organization discovery service 

RA21 recommend a central organisation discovery service or WAYF (Where Are You From). Indeed they plan to develop and run this as a service.   

We developed Wayfinder, a free organization discovery service, in parallel to the RA21 pilots using agile methods and user-centered design. It is available as a hosted service or as a component that can be embedded in any publisher website. We’ll continue to develop Wayfinder alongside RA21 recommended practices and changing user needs.  

A simple search enables users to easily find their home organization. From there they can login to all the resources their organization subscribes to, whilst preserving user privacy.   

A user’s search will automatically cover all federations that the publisher is a member of. All this, without the user event needing to be aware of them.   

Wayfinder remembers the user’s last login choice. It can also ‘forget’ any organizations users no longer belong to, creating an even easier user journey.   

Wayfinder also displays sub-domains for distributed organizations such as the UK National Health Service. And there is an option to add non-federated organizations too.   

6. Improve metadata quality and apply consistent standards

RA21 recommends that organizations and federation operators follow best practice in configuring their federation metadata. So their brands, icons etc present consistently in different interfaces. Examples include: 

• DisplayName should display in English and the local language of the organization. 
• The organization logo and icon displayed on transparent background and sized according to each federation requirements 
• Keywords to enable the end user to easily locate their organization eg. MIT for Massachusetts Institute of Technology. 
• Easy to understand descriptions of identity services to help a user identify which one they need.

7. Set session timeout periods  

RA21 recommend that organizations map session timeouts for access to scholarly content to a typical users’ work period eg. 10 hours. Depending on the organization’s information security and risk management policies, organizations restrict account administrator sessions to 15 – 30 minutes.
 

What’s the future? 

RA21 members see federated remote access as the predominant access technology now and in the near future. Its membership now includes a number of librarians as well as publishers. Emerging technologies such as OpenID Connect may become more established. But the RA21 recommendations are expected to remain relevant to any future shifts in technology. Key principles around privacy, security and user experience will continue to be an important consideration for anyone providing information services. 

But nothing will change unless publishers engage with the very real issues that libraries and their users are experiencing. The information industry needs to adopt federated single sign-on more widely across different sectors and countries. 

If ever there was a time for publishers to act to improve the user experience, it is here and now. 

Photo by Vladyslav Melnyk on Unsplash