RA21ProblemStatement• AccesstoSTMcontentandresourcesistradi8onallymanagedviaIPaddressrecogni8on.• Forthepast20years,thishasprovidedseamlessaccessforuserswhenoncampus• However,withmodernexpecta8onsoftheconsumerweb,thisapproachisincreasinglyproblema8c:

–  Userswantseamlessaccessfromanydevice,fromanyloca8on–  Usersincreasinglystarttheirsearcheson3rdpartysites(e.g.Google,PubMed)rather

thanpublisherplaMormsorlibraryportalsandrunintoaccessbarriers–  Apatchworkofsolu8onsexisttoprovideoff-campusaccess:proxyservers,VPNs,

Shibboleth,howevertheuserexperienceisinconsistentandconfusing–  Publishersarefacinganincreasingvolumeofillegaldownloadsandpiracy,andfraud

isdifficulttotrackandtracebecauseofinsufficientinforma8onabouttheenduser–  Thelackofuserdataalsoimpedesthedevelopmentofmoreuser-focused,

personalizedservicesbypublishers.–  Theincreaseinprivacyandfraudalsoposesasignificantrisktocampusinforma8on

security

1

FundamentalExpecta8onsoftheCommunity

•  Researchers–  Seamlessaccesstosubscribedresources,fromanydevice,fromanyloca8on,fromanystar8ng

point–  Aconsistent,intui8veuserexperienceacrossresources–  Increasedprivacyofpersonaldata–  Streamlinedtextanddatamining

•  ResourceProviders–  Abilitytoprovideindividualizedanddifferen8atedaccessforbeXerrepor8ngtogoverning

bodiesandcustomers–  Abilitytoofferpersonalizedservicestoaccelerateinsightanddiscovery–  Abilitytoensuretheintegrityofcontentonbothins8tu8onalandcommercialplaMorms

•  Customers–  Minimiza8onofadministra8veburdenofprovidingaccesstoauthorizedusercommuni8es–  Maximiza8ontheuseoftheresourcespurchased–  Protec8onoftheprivacyofusercommuni8esandadvocacyfortheirsecurity

2

RA21GuidingPrinciples1.  Theuserexperienceforresearcherswillbeasseamlessaspossible,intui8veand

consistentacrossvariedsystems,andmeetevolvingexpecta8ons.2.  Thesolu8onwillworkeffec8velyregardlessoftheresearcher’sstar8ngpoint,physical

loca8on,andpreferreddevice.3.  Thesolu8onwillbeconsistentwithemergingprivacyregula8ons,willavoidrequiring

researcherstocreateyetanotherID,andwillachieveanop8malbalancebetweensecurityandusability.

4.  Thesystemwillachieveend-to-endtraceability,providingarobust,widelyadoptedmechanismfordetec8ngfraudthatoccursatins8tu8ons,vendorsystems,andpublishingplaMorms.

5.  Thecustomerwillnotbeburdenedwithadministra8veworkorexpensesrelatedtoimplementa8onandmaintenance.Theimplementa8onplanshouldallowforgradualtransi8onandaccountfordifferentlevelsoftechnicalandorganiza8onalmaturityinpar8cipa8ngins8tu8ons.

3

Pilotprogram•  PilotprogramthroughQ32017

–  Broadspectrumofstakeholders–  Addressavarietyofusecases–  Includesbothacademicandcorporateefforts

•  Selforganized,registeredandtrackedunderthelargerumbrellaofRA21•  Feedbackandresultssharedwiththecommunity•  Ul8mategoals

– MoveawayfromIPauthen8ca8on–lackofscale–  Balancewiththeconceptofprivacy(GeneralDataProtec8onRegula8on2018)–  Createasetofbestprac8cerecommenda8onsforiden8tydiscovery

4

Importanttohavemul/plepilotssowecanaddresstheproblemfrommul/pleangles

TheRA21taskforcewillnotbuildaspecifictechnicalsolu/onoranindustry-

wideauthen/ca/onplaAorm

RA21Pilots•  CorporatePilot•  ThreeAcademicPilots

•  TheAcademic(Shared‘Whereareyoufrom’(WAYF))Pilot•  PrivacyPreservingPersistentWAYFPilot•  Client-basedWAYFPilot

•  AllseektoaddresstheUserExperienceforoff-campusaccess

Bytheendoftoday,wearehopingtohavemorepar/cipantsinvolvedineachofthepilots

5

CorporatePilot•  Corporatepilotpar8cipants

–  PharmaDocumenta8onRing(P-D-R)membercompanies•  Roche,GSK,Novar8s,BASF,Abbvie

–  Scholarlypublishers•  ACS,Elsevier,Springer-Nature,Wiley

•  Pilotgoals–  Valida8onofSAML-basedfederatedauthen8ca8oninlieuofIP-based

authen8ca8onforaccesstoscholarlyresources.–  Poten8allycustomizediden8tyaXributestofacilitategranularusage

repor8ng.–  Demonstra8onofaconsistentandstreamlineduserexperienceforuser

authen8ca8onacrossmul8pleSTMpublishersites;regardlessoftheuser’sloca8onanddeviceused.

6

CorporatePilot–Iden8tyLandscape

7

CorporatePilot–Iden8tyLandscape

8

CorporatePilot–Iden8tyLandscapeALLVISITORS

AnonymousAccesstoFreeContent

Ins8tu8onalIden8ty(weknowwhereyou’refrom)

AnonymousEn-tledAccess

IndividualIden8ty(weknowwhoyouare)

KnownUserAccesstoFreeContent+personalizedservices

RA21

Known&En8tledUser

Pseudonymous&En8tledUser

Today’sIPAddressRecogni8on

9

CorporatePilot–ProgressToDate•  Pilotofficiallyformedinlate2016•  SurveysenttoallP-D-Rcompaniestounderstandiden8ty

managementcapabili8esandreadiness•  Part-8mepaidfacilitatorwithsupportfromCCC,GSK,and

par8cipa8ngpublishers•  Face-to-facemee8nginMarch2017

–  Whiteboardedtheuserexperienceflow•  Nowdevelopingclickableprototype•  WilltestwithP-D-RusersinMay/June

•  Exploringthepossibilityofformingafedera8onamongallP-D-Rcompanies

10

PrivacyPreservingPersistentWAYF(P3W)Pilot

Pilotgoals–  ToimprovecurrentShibbolethIden8tyProviderdiscoveryprocess

•  Incorporateaddi8onal“WAYFhints”suchasemaildomainandIPaddressintofedera8onmetadata

•  Improvesign-inflowusingthoseWAYFhints•  Enablecross-providerpersistenceofWAYFchoiceusingbrowserlocalstorage

Pilotpar-cipants(confirmedsofar)–  AcademicIns8tu8ons

•  MIT–  Vendors/ServiceProviders

•  PingIden8ty•  Proquest•  Eduserve

–  ScholarlyPublishers•  Elsevier

11

CurrentTypicalSignInFlow–Step1

CurrentTypicalSignInFlow–Step2

CurrentTypicalSignInFlow–Step3

CurrentTypicalSignInFlow–Step4

CurrentTypicalSignInFlow–Step5

ImprovedFirst-TimeFlow–Step1

Enteryourins8tu8onalemailordomaintocheckaccess

a.professor@mit.edu

Emailaddress*

Con8nue

*Youremailaddresswillnotbestored

XRememberthisaccount

ImprovedFirst-TimeFlow–Step2

ImprovedFirst-TimeFlow–Step3

ImprovedNext-TimeFlow–Step1

Choseanaccounttocheckaccess

mit.edu>

+AddAccount

ImprovedNext-TimeFlow–Step2

PreservingPrivacyTechnique Challenge

OnlydomainpartofemailaddressneedstobetransmiXedfrombrowsertopublisherplaMormtoselectIDP

NeedtodefineandtestastandardizedUIthatmakesthiscleartousers

IdPpreferenceisstoredlocallyinthebrowser,retrievedusingcentrallyservedjavascript,notonacentralserver

NeedtoadaptAccountChoosemechanismtosupportSAMLIdPsvsOpenIDConnectAuthoriza8onServers

AchievingthevisionObjec-ve WorkforCoreTeam* Workfor

Par-cipa-ngLibraries

WorkforPar-cipa-ngPublishers

Incorporateaddi8onal“WAYFhints”federa8onmetadata

•  AgreeschemaforWAYFhints

•  AddnewaXributestoIdPmetadata

•  ReadnewaXributesfromIdPmetadata

Improvesign-inflowusingthoseWAYFhints

•  DesignnewUIflow(canborrowandadaptfromURApilot)

•  TestnewUIflowwithendusersandcollectedfeedback

•  ImplementnewUIflowinplaMorm(atleastasaprototype)

Enablecross-providerpersistenceofWAYFchoiceusingbrowserlocalstorage

•  AdaptAccountChooserjavascript

•  HostmodifiedAccountChooserjavascript

•  Educateusers •  IncorporateAccountChooserintoUIflow(atleastasaprototype)

*Coreteam=Vendors,PublishersandLibrariesinterestedindefiningtheUXandbuildingthetechnologyforthispilot

Deliverables

•  Asetofrecommenda8onsforWAYFhintstobeincorporatedintofedera8onmetadata

•  Arecommenda8ononastreamlinedWAYFUIflow

•  Aworkingadapta8onoftheAccountChoosersoxwaretomeettheneedsofthepilot

•  Areportonexperiencelearnedduringthepilotandthepros/consoftakingitforwardintoproduc8on

WorkBreakdownStructureTherewillbetwoindependentworkstreamsthatcanproceedinparallel:•  Incorpora8onofaddi8onalWAYFhintssuchasemaildomain

andIPaddressrangesintopar8cipa8ngfedera8on’sIdPmetadata,andu8liza8onofthismetadatainstreamlinedIdPdiscoveryworkflowsbypar8cipa8ngServiceProviders

•  DeploymentofasharedWAYFservicewhichallowsanend-user’spreferredIdPaccounttobeselectedandstoredsecurelyintheirbrowser,andforthischoicetobesecurelyaccessedbypar8cipa8ngSPsthusallowingtheuser’sWAYFchoicetobepersistedacrosssites.

25

Schedule

•  ThepilotwillcommenceinQ22017andaimtoprovidefinalrecommenda8onsbytheendof2017

Resources

Thecoregroupwillneedtoincludeindividualswiththefollowingskills/experience•  SoxwaredeveloperswithexperienceofSAML,OpenIDConnectand/orwebapplica8ondevelopment

•  UI/UXexperts•  Individualswithexper8seinSAMLmetadataschemesandstandards

•  Projectmanagement

SharedWAYF

Organiza8onalLogin

Publisher

wayf?

Organiza8onalLogin

Organiza8onalLogin

Not a great user experience … but it can be improved!

Organiza8onalLogin…acrosspublishers

Publisher Publisher

wayf? wayf?

UserPerspec8ve

Publisher Publisher Publisher Publisher

wayf? wayf? wayf?

wayf?

UserPerspec8ve

Publisher Publisher Publisher Publisher

wayf? wayf? wayf?

wayf?

➡  Poor Experience!

SharedWAYFPilot

why don’t publishers ask each other

instead of

all asking the user

wayf-cloud

Publisher Publisher Publisher Publisher

wayf? wayf? wayf?

wayf-cloud

wayf?

UserExperiencePossibili8es*

*even for first time visitors

SharedWHAT?

publisher1

en8tyID

randomnumber

randomnumber

publisherid publisherspecificdeviceid

wayf-clouddeviceid

IdPID

UserControl

UserControl

Privacy•  non-personaluserdata

•  usercontrol

•  opt-inop8on

OpenDevelopment

•  WAYF-cloudsourcecodeisavailableinapublicrepositoryonGithub

–  availablewithanOpensourceSoxwareLicense(Apache2.0)

–  nocodeyetpromotedfromthedevelopmentbranchtothemasterbranch

–  hXps://github.com/atypon/wayf-cloud/tree/development.

•  Why?

–  Transparency/Trust/Adop8on

–  Novendorlock

–  Communitydrivenevolu8on

PilotObjec8ves

•  wayf-clouddevelopment

–  embraceOpensourceSoxwaredevelopmentmodel

•  Easyintegra8ontopublisherplaMorms

•  Seamlessuseraccessacrosspublishers

–  leverageorganisa8onalauthen8ca8onsystems

–  U8lizesharedwayfdata

PilotPar8cipa8on

•  Publisherswiththeabilityto

-  integratetheirpublisherplaMormsusingthewyaf-cloudAPI

-  adaptorganiza8onalloginUIfromsharedWAYFdata

•  Organiza8ons&Ins8tu8onswithorganisa8onalauthen8ca8onsystems-alreadyintegratedwithpublisherpar8cipants(orwillingtointegrate)

UXexamples

Architecture

Architecture(Elements)

WAYF Widget

WAYF Cloud

Publisher Platform

client component! Server components!

Institutional IdP

Architecture(Interfaces)

WAYF Widget

WAYF Cloud

Publisher Platform

client component! Server components!

Institutional IdP

WAYFWidget

•  Includedincontentsites

web-browser!

URAWidget-inac8on

web-server!

GET https://www.awesomepublisher.com

200 OK index.html set-cookie: localID=xxxx

<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>

web-browser!

URAWidget-inac8on

web-server!

GET https://berkeley.edu/shibboleth

200 OK index.html set-cookie: localID=xxxx

WAYFcloud

GET https://wayf-cloud.org/ura-widget.js

load widget

<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>

web-browser!

URAWidget-inac8on

web-server!

GET https://berkeley.edu/shibboleth

200 OK index.html set-cookie: localID=xxxx

WAYFcloud

POST https://wayf-cloud.org/ura/session

body: { localID: xxxxx }

widget execution

GET https://wayf-cloud.org/ura-widget.js load widget

<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>

WYAFCloud• CloudServiceoperatedbyandagreeduponen8ty• CreatesdevicespecificglobalIDs-storedinacookieinthedomainnameoftheWYAFcloudserver

• MaintainsdevicedataperglobaldeviceID

•  Interfaceswith• WAYFWidget

• PublisherPlaMorms

web-browser!

WAYFCloud-inac8onweb-server!

GET https://www.awesomepublisher.com

200 OK index.html

WAYF cloud!

POST https://wayf-cloud.org/ura/session

body: { localID: xxxxx }

200 OK set-cookie: ura/gid=R1.0

<!DOCTYPE html> <html> <head> <script src="https://www.wayf-cloud.com/widget.js" async></script> <title>Welcome Page</title> </head> <body> Hello World! </body> </html>

WAYFCloud-inac8on

Singledevicethatvisitedmul8pleweb-servers(wheretheWAYFwidgetisinstalled)

PublisherPlaMorm

• ConsumesWYAFcloudservices:

– GETdevicedata– PUTdevicedata

• DirectsvisitoruserstoIdPstheyhaveusedinthepast

PublisherPlaMorms-inac8on

platform 1 - localID: B131

{ host: pub1, timestamp: DD-MM-YYYY-HH-MM-SS, sso: { protocol: SAML, entityID: https://xyz.com/shibboleth } }

PUT

PublisherPlaMorms-inac8on

platform 1 - localID: B131

{ host: pub1, timestamp: DD-MM-YYYY-HH-MM-SS, sso: { protocol: SAML, entityID: https://xyz.com/shibboleth } }

platform 2 - localID: A-123

PUTGET

FullExample

samlbitsWAYF

•  samlbitsdiscoveryobjec8ves–  ImproveIden8tyProvider(IdP)discoveryprocesses

•  Useashareddiscoveryservicethatusesbothbrowserinforma8onandsharedmetadatahintstonarrowdownIdPop8onsfortheuserwithouttrackingtheuser

– DeterminethebestwaytopopulatethemetadataregistrywithhintsfromtheServiceProvidersregardingwhatIdPsarelikelytoworkinanauthoriza8onscenario

68

Process–userperspec8ve•  Stepone:discoveryservicechecksthebrowser’slocalstoreanddisplaysthelastIdP(orsetofIdPs)usedbytheuser.

•  Steptwo:ifthelocalbrowserstoreisempty,oriftheuserchoosesnottouseanyoftheIdPsoffered,theuserwillbepresentedwithasearchinterfaceoralistthatisbuiltbasedonthedatabaseofIdPsthatwillbeknowntoworkwiththatSP(thesamlbitscomponent)

Process–PublisherPerspec8ve•  Gooddiscoveryexperiencereliesontwothings:

– Accuratelypredic8nguserneeds•  don’tpresentmoreUIthannecessary•  understandusercontext•  integratewiththewebplaMorm•  domobile

– Correctlyrepresen8ngthepublisher-customerlink•  makesearchcount•  don’tdisappointtheuser

Process–LibraryPerspec8ve•  LibrariesmightbetheIdP

–  thentheydon’thavetodoanythingotherthanbeanIdP

•  Librariesaregoingtobecri8calfortheUXguidance–  theUIneedstobebeXeratdisplayingIdPsthatareNOTknowntoworkwithanSP

Moreinforma8on

•  hXp://ra21.org/index.php/pilot-programs/client-based-wayf-pilot/

NextSteps

•  Followupwiththepilotcoordinatorsandpilotleads– needdevelopers,testers,UIfeedback