ra21 problem statement...ra21 problem statement • access to stm content and resources is...
TRANSCRIPT
RA21ProblemStatement• AccesstoSTMcontentandresourcesistradi8onallymanagedviaIPaddressrecogni8on.• Forthepast20years,thishasprovidedseamlessaccessforuserswhenoncampus• However,withmodernexpecta8onsoftheconsumerweb,thisapproachisincreasinglyproblema8c:
– Userswantseamlessaccessfromanydevice,fromanyloca8on– Usersincreasinglystarttheirsearcheson3rdpartysites(e.g.Google,PubMed)rather
thanpublisherplaMormsorlibraryportalsandrunintoaccessbarriers– Apatchworkofsolu8onsexisttoprovideoff-campusaccess:proxyservers,VPNs,
Shibboleth,howevertheuserexperienceisinconsistentandconfusing– Publishersarefacinganincreasingvolumeofillegaldownloadsandpiracy,andfraud
isdifficulttotrackandtracebecauseofinsufficientinforma8onabouttheenduser– Thelackofuserdataalsoimpedesthedevelopmentofmoreuser-focused,
personalizedservicesbypublishers.– Theincreaseinprivacyandfraudalsoposesasignificantrisktocampusinforma8on
security
1
FundamentalExpecta8onsoftheCommunity
• Researchers– Seamlessaccesstosubscribedresources,fromanydevice,fromanyloca8on,fromanystar8ng
point– Aconsistent,intui8veuserexperienceacrossresources– Increasedprivacyofpersonaldata– Streamlinedtextanddatamining
• ResourceProviders– Abilitytoprovideindividualizedanddifferen8atedaccessforbeXerrepor8ngtogoverning
bodiesandcustomers– Abilitytoofferpersonalizedservicestoaccelerateinsightanddiscovery– Abilitytoensuretheintegrityofcontentonbothins8tu8onalandcommercialplaMorms
• Customers– Minimiza8onofadministra8veburdenofprovidingaccesstoauthorizedusercommuni8es– Maximiza8ontheuseoftheresourcespurchased– Protec8onoftheprivacyofusercommuni8esandadvocacyfortheirsecurity
2
RA21GuidingPrinciples1. Theuserexperienceforresearcherswillbeasseamlessaspossible,intui8veand
consistentacrossvariedsystems,andmeetevolvingexpecta8ons.2. Thesolu8onwillworkeffec8velyregardlessoftheresearcher’sstar8ngpoint,physical
loca8on,andpreferreddevice.3. Thesolu8onwillbeconsistentwithemergingprivacyregula8ons,willavoidrequiring
researcherstocreateyetanotherID,andwillachieveanop8malbalancebetweensecurityandusability.
4. Thesystemwillachieveend-to-endtraceability,providingarobust,widelyadoptedmechanismfordetec8ngfraudthatoccursatins8tu8ons,vendorsystems,andpublishingplaMorms.
5. Thecustomerwillnotbeburdenedwithadministra8veworkorexpensesrelatedtoimplementa8onandmaintenance.Theimplementa8onplanshouldallowforgradualtransi8onandaccountfordifferentlevelsoftechnicalandorganiza8onalmaturityinpar8cipa8ngins8tu8ons.
3
Pilotprogram• PilotprogramthroughQ32017
– Broadspectrumofstakeholders– Addressavarietyofusecases– Includesbothacademicandcorporateefforts
• Selforganized,registeredandtrackedunderthelargerumbrellaofRA21• Feedbackandresultssharedwiththecommunity• Ul8mategoals
– MoveawayfromIPauthen8ca8on–lackofscale– Balancewiththeconceptofprivacy(GeneralDataProtec8onRegula8on2018)– Createasetofbestprac8cerecommenda8onsforiden8tydiscovery
4
Importanttohavemul/plepilotssowecanaddresstheproblemfrommul/pleangles
TheRA21taskforcewillnotbuildaspecifictechnicalsolu/onoranindustry-
wideauthen/ca/onplaAorm
RA21Pilots• CorporatePilot• ThreeAcademicPilots
• TheAcademic(Shared‘Whereareyoufrom’(WAYF))Pilot• PrivacyPreservingPersistentWAYFPilot• Client-basedWAYFPilot
• AllseektoaddresstheUserExperienceforoff-campusaccess
Bytheendoftoday,wearehopingtohavemorepar/cipantsinvolvedineachofthepilots
5
CorporatePilot• Corporatepilotpar8cipants
– PharmaDocumenta8onRing(P-D-R)membercompanies• Roche,GSK,Novar8s,BASF,Abbvie
– Scholarlypublishers• ACS,Elsevier,Springer-Nature,Wiley
• Pilotgoals– Valida8onofSAML-basedfederatedauthen8ca8oninlieuofIP-based
authen8ca8onforaccesstoscholarlyresources.– Poten8allycustomizediden8tyaXributestofacilitategranularusage
repor8ng.– Demonstra8onofaconsistentandstreamlineduserexperienceforuser
authen8ca8onacrossmul8pleSTMpublishersites;regardlessoftheuser’sloca8onanddeviceused.
6
CorporatePilot–Iden8tyLandscape
7
CorporatePilot–Iden8tyLandscape
8
CorporatePilot–Iden8tyLandscapeALLVISITORS
AnonymousAccesstoFreeContent
Ins8tu8onalIden8ty(weknowwhereyou’refrom)
AnonymousEn-tledAccess
IndividualIden8ty(weknowwhoyouare)
KnownUserAccesstoFreeContent+personalizedservices
RA21
Known&En8tledUser
Pseudonymous&En8tledUser
Today’sIPAddressRecogni8on
9
CorporatePilot–ProgressToDate• Pilotofficiallyformedinlate2016• SurveysenttoallP-D-Rcompaniestounderstandiden8ty
managementcapabili8esandreadiness• Part-8mepaidfacilitatorwithsupportfromCCC,GSK,and
par8cipa8ngpublishers• Face-to-facemee8nginMarch2017
– Whiteboardedtheuserexperienceflow• Nowdevelopingclickableprototype• WilltestwithP-D-RusersinMay/June
• Exploringthepossibilityofformingafedera8onamongallP-D-Rcompanies
10
PrivacyPreservingPersistentWAYF(P3W)Pilot
Pilotgoals– ToimprovecurrentShibbolethIden8tyProviderdiscoveryprocess
• Incorporateaddi8onal“WAYFhints”suchasemaildomainandIPaddressintofedera8onmetadata
• Improvesign-inflowusingthoseWAYFhints• Enablecross-providerpersistenceofWAYFchoiceusingbrowserlocalstorage
Pilotpar-cipants(confirmedsofar)– AcademicIns8tu8ons
• MIT– Vendors/ServiceProviders
• PingIden8ty• Proquest• Eduserve
– ScholarlyPublishers• Elsevier
11
CurrentTypicalSignInFlow–Step1
CurrentTypicalSignInFlow–Step2
CurrentTypicalSignInFlow–Step3
CurrentTypicalSignInFlow–Step4
CurrentTypicalSignInFlow–Step5
ImprovedFirst-TimeFlow–Step1
Enteryourins8tu8onalemailordomaintocheckaccess
Emailaddress*
Con8nue
*Youremailaddresswillnotbestored
XRememberthisaccount
ImprovedFirst-TimeFlow–Step2
ImprovedFirst-TimeFlow–Step3
ImprovedNext-TimeFlow–Step1
Choseanaccounttocheckaccess
mit.edu>
+AddAccount
ImprovedNext-TimeFlow–Step2
PreservingPrivacyTechnique Challenge
OnlydomainpartofemailaddressneedstobetransmiXedfrombrowsertopublisherplaMormtoselectIDP
NeedtodefineandtestastandardizedUIthatmakesthiscleartousers
IdPpreferenceisstoredlocallyinthebrowser,retrievedusingcentrallyservedjavascript,notonacentralserver
NeedtoadaptAccountChoosemechanismtosupportSAMLIdPsvsOpenIDConnectAuthoriza8onServers
AchievingthevisionObjec-ve WorkforCoreTeam* Workfor
Par-cipa-ngLibraries
WorkforPar-cipa-ngPublishers
Incorporateaddi8onal“WAYFhints”federa8onmetadata
• AgreeschemaforWAYFhints
• AddnewaXributestoIdPmetadata
• ReadnewaXributesfromIdPmetadata
Improvesign-inflowusingthoseWAYFhints
• DesignnewUIflow(canborrowandadaptfromURApilot)
• TestnewUIflowwithendusersandcollectedfeedback
• ImplementnewUIflowinplaMorm(atleastasaprototype)
Enablecross-providerpersistenceofWAYFchoiceusingbrowserlocalstorage
• AdaptAccountChooserjavascript
• HostmodifiedAccountChooserjavascript
• Educateusers • IncorporateAccountChooserintoUIflow(atleastasaprototype)
*Coreteam=Vendors,PublishersandLibrariesinterestedindefiningtheUXandbuildingthetechnologyforthispilot
Deliverables
• Asetofrecommenda8onsforWAYFhintstobeincorporatedintofedera8onmetadata
• Arecommenda8ononastreamlinedWAYFUIflow
• Aworkingadapta8onoftheAccountChoosersoxwaretomeettheneedsofthepilot
• Areportonexperiencelearnedduringthepilotandthepros/consoftakingitforwardintoproduc8on
WorkBreakdownStructureTherewillbetwoindependentworkstreamsthatcanproceedinparallel:• Incorpora8onofaddi8onalWAYFhintssuchasemaildomain
andIPaddressrangesintopar8cipa8ngfedera8on’sIdPmetadata,andu8liza8onofthismetadatainstreamlinedIdPdiscoveryworkflowsbypar8cipa8ngServiceProviders
• DeploymentofasharedWAYFservicewhichallowsanend-user’spreferredIdPaccounttobeselectedandstoredsecurelyintheirbrowser,andforthischoicetobesecurelyaccessedbypar8cipa8ngSPsthusallowingtheuser’sWAYFchoicetobepersistedacrosssites.
25
Schedule
• ThepilotwillcommenceinQ22017andaimtoprovidefinalrecommenda8onsbytheendof2017
Resources
Thecoregroupwillneedtoincludeindividualswiththefollowingskills/experience• SoxwaredeveloperswithexperienceofSAML,OpenIDConnectand/orwebapplica8ondevelopment
• UI/UXexperts• Individualswithexper8seinSAMLmetadataschemesandstandards
• Projectmanagement
SharedWAYF
Organiza8onalLogin
Publisher
wayf?
Organiza8onalLogin
Organiza8onalLogin
Not a great user experience … but it can be improved!
Organiza8onalLogin…acrosspublishers
Publisher Publisher
wayf? wayf?
UserPerspec8ve
Publisher Publisher Publisher Publisher
wayf? wayf? wayf?
wayf?
UserPerspec8ve
Publisher Publisher Publisher Publisher
wayf? wayf? wayf?
wayf?
➡ Poor Experience!
SharedWAYFPilot
why don’t publishers ask each other
instead of
all asking the user
wayf-cloud
Publisher Publisher Publisher Publisher
wayf? wayf? wayf?
wayf-cloud
wayf?
UserExperiencePossibili8es*
*even for first time visitors
SharedWHAT?
publisher1
en8tyID
randomnumber
randomnumber
publisherid publisherspecificdeviceid
wayf-clouddeviceid
IdPID
UserControl
UserControl
Privacy• non-personaluserdata
• usercontrol
• opt-inop8on
OpenDevelopment
• WAYF-cloudsourcecodeisavailableinapublicrepositoryonGithub
– availablewithanOpensourceSoxwareLicense(Apache2.0)
– nocodeyetpromotedfromthedevelopmentbranchtothemasterbranch
– hXps://github.com/atypon/wayf-cloud/tree/development.
• Why?
– Transparency/Trust/Adop8on
– Novendorlock
– Communitydrivenevolu8on
PilotObjec8ves
• wayf-clouddevelopment
– embraceOpensourceSoxwaredevelopmentmodel
• Easyintegra8ontopublisherplaMorms
• Seamlessuseraccessacrosspublishers
– leverageorganisa8onalauthen8ca8onsystems
– U8lizesharedwayfdata
PilotPar8cipa8on
• Publisherswiththeabilityto
- integratetheirpublisherplaMormsusingthewyaf-cloudAPI
- adaptorganiza8onalloginUIfromsharedWAYFdata
• Organiza8ons&Ins8tu8onswithorganisa8onalauthen8ca8onsystems-alreadyintegratedwithpublisherpar8cipants(orwillingtointegrate)
UXexamples
Architecture
Architecture(Elements)
WAYF Widget
WAYF Cloud
Publisher Platform
client component! Server components!
Institutional IdP
Architecture(Interfaces)
WAYF Widget
WAYF Cloud
Publisher Platform
client component! Server components!
Institutional IdP
WAYFWidget
• Includedincontentsites
web-browser!
URAWidget-inac8on
web-server!
GET https://www.awesomepublisher.com
200 OK index.html set-cookie: localID=xxxx
<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>
web-browser!
URAWidget-inac8on
web-server!
GET https://berkeley.edu/shibboleth
200 OK index.html set-cookie: localID=xxxx
WAYFcloud
GET https://wayf-cloud.org/ura-widget.js
load widget
<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>
web-browser!
URAWidget-inac8on
web-server!
GET https://berkeley.edu/shibboleth
200 OK index.html set-cookie: localID=xxxx
WAYFcloud
POST https://wayf-cloud.org/ura/session
body: { localID: xxxxx }
widget execution
GET https://wayf-cloud.org/ura-widget.js load widget
<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>
WYAFCloud• CloudServiceoperatedbyandagreeduponen8ty• CreatesdevicespecificglobalIDs-storedinacookieinthedomainnameoftheWYAFcloudserver
• MaintainsdevicedataperglobaldeviceID
• Interfaceswith• WAYFWidget
• PublisherPlaMorms
web-browser!
WAYFCloud-inac8onweb-server!
GET https://www.awesomepublisher.com
200 OK index.html
WAYF cloud!
POST https://wayf-cloud.org/ura/session
body: { localID: xxxxx }
200 OK set-cookie: ura/gid=R1.0
<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>
WAYFCloud-inac8on
Singledevicethatvisitedmul8pleweb-servers(wheretheWAYFwidgetisinstalled)
PublisherPlaMorm
• ConsumesWYAFcloudservices:
– GETdevicedata– PUTdevicedata
• DirectsvisitoruserstoIdPstheyhaveusedinthepast
PublisherPlaMorms-inac8on
platform 1 - localID: B131
{ host: pub1, timestamp: DD-MM-YYYY-HH-MM-SS, sso: { protocol: SAML, entityID: https://xyz.com/shibboleth } }
PUT
PublisherPlaMorms-inac8on
platform 1 - localID: B131
{ host: pub1, timestamp: DD-MM-YYYY-HH-MM-SS, sso: { protocol: SAML, entityID: https://xyz.com/shibboleth } }
platform 2 - localID: A-123
PUTGET
FullExample
samlbitsWAYF
• samlbitsdiscoveryobjec8ves– ImproveIden8tyProvider(IdP)discoveryprocesses
• Useashareddiscoveryservicethatusesbothbrowserinforma8onandsharedmetadatahintstonarrowdownIdPop8onsfortheuserwithouttrackingtheuser
– DeterminethebestwaytopopulatethemetadataregistrywithhintsfromtheServiceProvidersregardingwhatIdPsarelikelytoworkinanauthoriza8onscenario
68
Process–userperspec8ve• Stepone:discoveryservicechecksthebrowser’slocalstoreanddisplaysthelastIdP(orsetofIdPs)usedbytheuser.
• Steptwo:ifthelocalbrowserstoreisempty,oriftheuserchoosesnottouseanyoftheIdPsoffered,theuserwillbepresentedwithasearchinterfaceoralistthatisbuiltbasedonthedatabaseofIdPsthatwillbeknowntoworkwiththatSP(thesamlbitscomponent)
Process–PublisherPerspec8ve• Gooddiscoveryexperiencereliesontwothings:
– Accuratelypredic8nguserneeds• don’tpresentmoreUIthannecessary• understandusercontext• integratewiththewebplaMorm• domobile
– Correctlyrepresen8ngthepublisher-customerlink• makesearchcount• don’tdisappointtheuser
Process–LibraryPerspec8ve• LibrariesmightbetheIdP
– thentheydon’thavetodoanythingotherthanbeanIdP
• Librariesaregoingtobecri8calfortheUXguidance– theUIneedstobebeXeratdisplayingIdPsthatareNOTknowntoworkwithanSP
Moreinforma8on
• hXp://ra21.org/index.php/pilot-programs/client-based-wayf-pilot/
NextSteps
• Followupwiththepilotcoordinatorsandpilotleads– needdevelopers,testers,UIfeedback