On 17 April 2019, the “Recommended Practice on Improved Access to Institutionally-Provided Information Resources” was released for public comment. This is the final output of the RA21 initiative, an effort that started in 2016 in response to concerns about the limitation of IP address authorization and the issues with a possible success technology, federated login.
In the eight years between ESPReSSO (seven years since the REFEDS Discovery Guide) individuals have grown accustomed to federated logins via interfaces like the Google Account Chooser, Facebook login buttons, and other social identity provider tie-ins. This increase in services using social logins is likely a result of the ease of integration using OpenID Connect, but regardless of the underlying technology, the fact that users are familiar with this kind of outsourcing of login services is an important change.
The core information in the Recommended Practice (RP) revolves around improving the user experience for identity provider (IdP) discovery. IdP discovery has been an area of concern in the fed ops community for as long as there has been a fed ops community. REFEDS itself developed a discovery guide in 2012 based on NISO’s ESPReSSO guidelines to try and help improve the knowledge in the space, but uptake was low. So, what makes this new effort out of RA21 better than those previous attempts?
It’s not just users that are now accustomed to seeing a login screen that lets them choose their preferred (social) identity provider. As hinted at previously, service providers (SPs) are also accustomed to using OIDC libraries to remove the need for usernames and passwords stored in their service. Related to this is a growing appreciation for the need to protect users’ privacy and how it is driving SPs to avoid storing usernames and passwords. Any personalization of services instead happens as a much more informed set of actions on the part of the user.
While the RP draft is focused on SAML-based federations, the underlying principles are technology agnostic. The recommendations for how to handle the user experience apply regardless. That said, the RP does not cover everything that could ultimately impact the user experience during a federated login process. In the “Future Work Items” section, the paper calls out the fact that further work is still needed in the area of user consent for both permission to store the choice of IdP in the user’s browser as well as for attribute release in general, on best practice for logos, and several other areas. There is still quite a bit of room to learn and grow in this space!
When the RP is published as an official NISO Recommended Practice, the RA21 initiative itself will be complete. At that point, the work shifts to an operational effort to put those recommendations into production by offering a central discovery and persistence service from a group called the Coalition for Seamless Access, formed from key RA21 participants (the International Association of STM Publishers, NISO, GÉANT, Internet2, and ORCID). More information on that effort and on the governance through the Coalition will be forthcoming in the next few months.