It’s been a while since there has been a general update to the community regarding the RA21 project. I was able to talk to some people at TIIME, and on the off chance anyone tracks items in the blog ‘The Scholarly Kitchen‘ (interesting, well-curated blog site aimed at scholarly publishers and academic librarians) you’ll have seen a handful of posts recently [1,2,3] that have included quite a bit of chatter around RA21.
In case you don’t know what RA21 is all about, the short, short version is that the people behind the project (a collaboration of scholarly publishers, librarians, vendors, and fed ops) are trying to solve the identity provider discovery problem. They are doing this via pilot projects that let people explore different possibilities such that a set of best practices can be published based on experience rather than wishful thinking. There are two academic pilots: WAYF Cloud and P3W. Both involve a central discovery service, but they differ in some significant ways on how they use such a service. The WAYF Cloud has a central service that stores quite a bit of data about the user and their IdP choice(s) such that an SP can just query the service to figure out what to present to the user in a discover service. The P3W pilot stores very little in a central service, leaving the history of choices in the browser and not in the central service itself. The WAYF Cloud is using open source software developed initially by a company called Atypon, and P3W is based on pyFF, one of the projects under the Identity Python umbrella.
In parallel with the two pilots are two work streams that cross both pilots: the Security/Privacy group and the UX group. The Security/Privacy group includes CISOs and privacy experts. Their goal is to review both pilots from a security and privacy perspective and determine if the pilots are GDPR compliant. The UX group is, as you might expect, developing guidance and reference implementations for the UI that the SPs would use for a discovery service.
So, great, people are talking about it and there’s a structure that seems to be sensible, but what’s the project actually doing?
Between now and the end of April, we expect quite a lot to start coming out of the project:
- A position paper endorsed by RA21 regarding asking IdPs and Fed Ops to make specific changes now that would help improve IdP discovery immediately, regardless of any other outputs of the project. (These changes focus primarily on populating the mdui and mdui hints in metadata.)
- A initial write up and recommendation from the Security/Privacy group regarding the pilots. This write up might highlight issues in both pilots, or it might recommend one pilot be scrapped entirely. Stay tuned…
- Results from a series of focus groups interviewed by the UX team as they test the different possibilities for the UX. They are exploring possibilities including a new ‘PayPal’ style button on websites that will take people to a discovery page, different language on the discovery page to differentiate (or not) between local accounts and federated accounts, and more.
- A set of webinars are planned to report out on the pilots and the UX work. These have not been put on the calendar yet, but when we have actual dates, the (free) registration info will be sent far and wide.
- And lastly, the project will be holding an in-person workshop in Philadelphia on April 27, adjacent to the STM meeting being held earlier in the week.
That’s the current status of the work! If you’d like more information, check out the website and in particular the Events page. It holds copies of all the presentations so far, and even some recordings of previous events. More information will be posted as it is produced by the project.
[1] “What Will You Do When They Come for Your Proxy Server?“
[2] “Identity is Everything” https://scholarlykitchen.sspnet.org/2018/01/22/identity-everything/
[3] “Myth Busting: Five Commonly Held Misconceptions About RA21 (and One Rumor Confirmed)” – https://scholarlykitchen.sspnet.org/2018/02/07/myth-busting-five-commonly-held-misconceptions-ra21/