Editor’s Note: Today’s post is by Ralph Youngen. Ralph is Senior Director of Technology Strategy & Partnerships at the American Chemical Society (ACS). He is past Co-Chair of RA21, a member of the SeamlessAccess governance committee, and one of the founders of GetFTR.)
Last month I attended my first Electronic Resources and Libraries (ER&L) conference. My decision to attend was prompted in part by Lettie Conrad’s report “Of Paywalls and Proxies: The Buzz about Access at ER&L 2019”. Given my involvement with RA21 and its production implementation of SeamlessAccess over the past several years, I looked forward to the interaction with representatives from the library community most directly involved in matters of access and authentication. (N.B. For those who may be unfamiliar with them, RA21 was a community-driven initiative that culminated in the creation of a NISO Recommended Practice for improved access to institutionally-provided information resources. SeamlessAccess is a coalition creating an operational service based upon those recommended practices, promoting digital authentication leveraging an existing single sign-on infrastructure through one’s home institution.)
While Lettie’s ER&L 2019 report noted a collective need for change, the sentiment throughout ER&L 2020 acknowledged that said change is finally dawning. Campuses shared their successes and challenges with enabling federated authentication through services like OpenAthens. Other sessions focused on patron privacy. I particularly enjoyed a session presented by campus librarians from Stanford, Duke, and Yale, in which they indicated that the RA21 initiative raised their awareness of the need to focus on privacy issues and sparked long-overdue conversations with their campus IT departments that oversee authentication services.
Protection of user privacy is indeed a critical concern. Recent privacy regulations such as the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act provide useful foundations to build upon, but more specifically, this concern highlights the need for community-driven best practices for the scholarly information industry. As an example, SeamlessAccess is sponsoring an open working group whose goal is to codify sets of attributes that campuses would release about their users; of particular note is the distinction as to when it would or would not be appropriate to release some personally identifiable attributes. A separate working group tasked with developing model contract language around authentication issues is in the planning stage. See the SeamlessAccess website to get involved.
Then, the World Changed
For the hundreds of us who attended ER&L in person, I suspect no one could have predicted how the world would change when we returned home. The conference signified the last time I was in contact with more than a handful of people, my last plane flight, my last hotel stay, my last dinner in a restaurant…
The day after I returned home from ER&L, I watched a news report about how several U.S. campuses had made the decision to move to online-only classes for the remainder of the term. I rewound my DVR and took a picture of the TV screen.
Motivated by a need to ensure these students and faculty continued to have access to our publications, my ACS colleagues and I mounted a small campaign to reach out to the campus librarians at these institutions. The effort was similarly spurred on by reports received from China in February from the CARSI Federation, representing more than 300 Chinese academic institutions, who reported that their campus networks were becoming overloaded due to the sharp increase in remote access. ACS Publications responded to their request in February, rapidly enabling federated authentication for these Chinese institutions. With a strong suspicion that the United States was not far behind, we asked if the aforementioned U.S. institutions would enable federated authentication so that their patrons could access ACS Publications content using their campus login credentials while off-campus. In our communication, we explained how federated authentication would work alongside existing remote access methods, such as proxy or VPN. A small number of campuses responded positively, a smaller number responded negatively, but the majority did not respond at all.
Not long after, nearly every U.S. campus closed its physical doors. It was at this point that we rolled out a broader outreach initiative to all U.S. campuses that are members of the InCommon Federation.
A Quick Primer on Federated Authentication
Federated authentication (sometimes known by its implementations or consortia, such as Shibboleth or OpenAthens) is a method for allowing members of one organization to use their authentication credentials to access a web application of another organization. There are three parties involved: the end user, the organization hosting the web application (called the Service Provider), and the organization that can validate the user’s authentication credentials (called the Identity Provider).
In our industry, Service Providers (SPs) tend to be publishers, and Identity Providers (IdPs) tend to be academic institutions. The whole system relies upon a two-way trust between IdPs and SPs that, among other things, governs the information (“attributes”) that the IdP is willing to share about their users to the SP. While this may seem similar to logging into a website using your personal Google or Facebook account, the fact that an IdP (i.e., the academic institution) has complete control over the information it is willing to share about its multiple users is a fundamental differentiation — this is the basis for ensuring patron privacy.
Federated authentication is also a more efficient way to deliver content to off-campus patrons than other commonly known remote access options. With VPN and many proxy configurations, content from a publisher’s site must flow through the campus network in order to get to the end user. In contrast, federated authentication relies solely on the campus network to authenticate the user’s ID and password. This was the reason behind the CARSI Federation’s request to enable federated authentication – to help remove bandwidth from overloaded campus networks. As expected, in March, ACS began to hear similar reports of network capacity concerns from some U.S. campuses.
Expanding Federated Authentication
ACS Publications is now enabling federated authentication for academic institutions worldwide. We are actively joining other national federations (beyond InCommon and CARSI) to provide members with federated authentication as a remote access option.
In the United States, while ACS has been a member of the InCommon federation for many years, only about a dozen of InCommon’s 550 IdP members had been enabled for federated access to ACS Publications content. For years the practice that ACS — and many other publishers — adopted was to only enable U.S. campuses that explicitly requested federated access. At the same time, most InCommon members had enabled their side of this two-way trust years ago. In March, ACS made strides to finalize our side of this configuration to easily allow the rest of these campuses to use their institutional federated identity credentials to access ACS Publications content.
About 350 of the InCommon institutions began using federated access during the last week of March. This change led to an incredible increase of more than 2,600% in the use of federated access in March. We are on pace to nearly double that rate of increase in April, as shown on this chart:
For years, the uptake of federated access has been modest and consistent. The bump of usage in February was an increase from institutions in China as a result of activating the CARSI Federation. The explosion of traffic in March was a combination of activating the InCommon U.S. campuses, along with ACS Publications’ implementation of the SeamlessAccess user experience, which makes federated authentication much easier to use.
Responses have been predominately positive, and from a usage perspective, it is clear that patrons are finding the service useful. We have received some criticism, which has generally fallen along two lines: (1) some institutions prefer that all patrons continue to access content through library systems regardless of user’s location (reasons include control over data release, analytics, usage data derived from centralized management, and license compliance to systems integration concerns); and (2) some institutions voiced concerns about patron privacy and patron attribute release.
The concerns about patron privacy have been highlighted, and these issues are related to implementation of the institution’s identity federation services. As noted above, institutions have full control over what information about a user is provided to a service provider when authentication is approved. However, most institutional identity management is controlled by the campus IT department, not by the library. Many institutions use a bundle of attributes about its users, the Research-and-scholarship (R&S) entity category, as a default bundle of metadata about a user for most identity federation services. This entity category is generally acknowledged as not appropriate for most library services as it provides far too much information about the user, and as such, is not privacy protecting. The RA21 recommendation highlighted the fact that while identity federations can be used to provide personally identifiable information about the user when necessary, this is not the case for library services. The purpose of an ongoing SeamlessAccess working group is to define a new entity category for library services. This would provide a “default setting” for institution IT departments to set up, and thereby ensure only minimally required user attributes are released to service providers.
The timing of the RA21 project and the resulting SeamlessAccess service is fortunate. Just at the time when most, if not all, institutions need to provide a reliable, secure, and simple method of remote access, SeamlessAccess provides precisely that service. It is clear from the data that ACS collected that users remain exceptionally keen to access scientific literature and will rapidly adopt federated authentication for remote access to publications. In part, this is because they are familiar with how to navigate signing on through institutional logins. But in greater part, it is because nearly everyone is having to move rapidly to reliable remote access solutions. While network-level authentication works reasonably well in a world where most people are physically together on campus, it falters in this new pandemic world where we are all working from home.
(The author gratefully acknowledges the contributions from ACS colleague Erin Wiringi and Scholarly Kitchen Chef Todd Carpenter.)