What is the RA21 project?
- Resource Access for the 21st Century (RA21) is a joint STM and NISO initiative aimed at optimizing access protocols across key stakeholder groups, including (but not limited to!) publishers, librarians, campuses, vendors, and identity federation operators, with a goal of facilitating a simple user experience for users of scholarly information resources.
What are the goals of RA21?
- RA21 seeks to explore potential alternatives to IP-based authentication for gaining access to scholarly information resources, and to develop best practices around the implementation of those alternatives.
What is in scope for RA21?
- In scope is the creation of a set of recommended best practices around identity discovery and authentication, and engaging publishers, librarians, and other interested parties in the implementation of those best practices.
What is out of scope for RA21?
- While the pilot programs are working with different tools to test out possible best practices, the RA21 project is not about building software tools or recommending specific products. It is also not about designing business models or providing legal advice around privacy.
How is RA21 governed?
- While initiated by publishers as a task force of STM, the transition of RA21 into a joint STM/NISO was finalized, following the completion of the NISO voting procedure on the matter. This change was made because RA21 will only succeed with cooperation from all parties involved in providing access to scholarly information resources. RA21 is committed to ensuring all stakeholders are represented in governance of the project; steering committee membership includes representatives from publishers, libraries, vendors, and the IAM community. See the About the Team for more details.
How do you envision this working?
- While RA21 is not wedded to any particular technology, all of the pilots defined so far are proposing to follow a federated authentication model, in which authentication of users is handled by the institution, and then confirmation of the user having been authenticated is transmitted to the publisher using a secure protocol such as SAML (Security Assertion Markup Language). This leaves the choice of how to authenticate the users to each institution: some may use their centralized campus directories, others may use library patron databases.
Does RA21 take into account user privacy?
- User privacy is one of the guiding principles of RA21. The General Data Protection Regulation and the e-privacy regulation proposal arising from the EU provide a strong set of considerations that act as powerful input to the expectations of the project.
- All of the currently proposed pilots make use of SAML federated authentication technology which has in-built mechanisms for preserving privacy. This puts the institution, and the user, fully in control of what personally identifiable information is disclosed to a resource provider via what are called “attribute release policies”. Typically, academic SAML Identity Providers provide unique, persistent, but opaque identifiers, which provides a way for publishers to personalize services for users without knowing the actual identity of the individual. Optionally, publishers may then ask for additional personal information from users via their normal registration processes, disclosing their privacy policies, in order to provide services which require the publisher to know the identity of the user, such as email alerts.
What is the relevance of RA21 to …
- The RA21 project hopes to provide users with a seamless, customizable, and secure way to access scholarly information resources. By supporting federated login, users will be able to access content and services licensed by their institution from anywhere, from any device, from any starting point on the web, without having to either create multiple accounts or be restricted to the use of specific portals and proxy services.
- In contrast to the current situation, users will benefit from a consistent, intuitive user experience across participating resources and platforms.
- Users will be in charge of their privacy, having the control over what information to share to obtain more personalized services and a better user experience across platforms and devices.
- Librarians currently have to constantly monitor and provide updated IP address information to multiple resource providers to ensure ongoing access for end users. RA21 seeks to remove the need for this time-consuming activity.
- Off-site access management is currently complex and time consuming for librarians and and difficult for users to understand. RA21 aims to reduce the barriers to off-site access for users, thereby maximizing the use of the resources purchased by libraries.
- RA21 aims to enable more granular reporting of usage to libraries, while allowing libraries to protect the identities of their users.
- By having a more traceable access mechanism, librarians and publishers can work together to more easily and more quickly identify instances of illegal or fraudulent activity and undertake targeted resolution.
- By moving away from IP-based access, libraries will be less subject to network perimeter intrusion and man-in-the-middle attacks on their IP address.
- Publishers will have the opportunity, with a user’s consent, to provide a better, more customized experience.
- Publishers will have the ability to provide granular and differentiated access for better reporting to governing bodies and customers.
- Publishers will be able to work with purchasing departments to more carefully manage licensed access and together could quickly target any instances of fraudulent or illegal activity.
- RA21 aims to increase the ability of publishers to ensure the integrity of content on both institutional and commercial platforms.
Identify federation operators?
- Identity federation operators support the goals of privacy and security for their users. By minimizing account reuse and enabling various tools within the federated identity infrastructure to support security incident response, federations support an overall improvement in security. By supporting the ability to share only that an individual — without identifying who that individual is — was able to authenticate and may be entitled to specific resources, federations support preserving the privacy of the user.
- RA21 seeks to provide a consistent, understandable user experience across a range of information resources typically used by academic institutions. By easing current complex access flows, and familiarizing users with the concept of federated authentication, federation operators will see more usage, and consequently more return on the investment made in implementing federated authentication infrastructure
How is federated access relevant in the world of open access publishing?
- Librarians are responsible for providing access to a vast array of information sources, not just journals. Access to books, databases and other online resources and services will also be improved.
- RA21 can also be implemented in manuscript submission systems, editorial review tools, pre-print servers, etc, easing the difficulties uses have today in managing multiple accounts and passwords for these tools, and potentially allowing usage reporting on the institutional level, supporting the reporting and compliance requirements of institutions.
- At present, libraries have no way of measuring usage of freely available information resources by their patrons. Depending on the access mechanism selected, it may be possible for librarians to better understand the patterns of usage of their patrons /across all information resources.
How will RA21 deal with users who move from institution to institution over their career? Will they lose access to their saved searches, customizations, etc?
- RA21 is aiming to solve the organizational association part of the access management problem by allowing users to authenticate using credentials issued by their institution. Separately, resource providers could allow accounts to be linked to multiple sets of individual credentials, potentially including social network credentials, to support portability of personal settings and preferences as the user moves from institution to institution.
What does this mean for the walk-in user at a library?
- This is definitely an area which will need special attention. Using federated access does not imply using only login credentials. Institutions will be free to use different authentication methods for different classes of users. They could, for example, use smart cards, one-time access codes, certificates installed on library workstations, or even continue to use the IP address authorization for on-site usage, or may transition to a guest account service. It is up to the library itself to make these decisions.
What’s the timeline for adoption of RA21?
- Work is ongoing on the UX (user experience) aspects of RA21, however the practical pilots have completed, the results of which will be used as the basis of a set of recommended best practices. These will be formalized through the NISO process (http://www.niso.org/publications/rp/). We anticipate a gradual transition towards adoption of the RA21 solution from 2019. (See also FAQ: Will RA21 proactively turn off IP authentication? below)
What major publishers have agreed to adopt this model?
- RA21 is currently in pilot phase. As such, there are no formal best practices to adopt as yet. However, a number of major academic publishers (The American Chemical Society, Elsevier, IEEE, Springer/Nature, Wiley) are actively participating in the pilots.
Is RA21 going to propose using one of the major commercial IAM systems like Google’s account system?
- RA21 is not proposing to build any specific technology or solution. Rather, it will be developing recommended best practices for information resource providers and institutions to adopt. Some may choose to implement the recommended best practices directly themselves, however we expect many will also chose to use third-party service providers. There are also several vendors in this space, both those specializing in scholarly communications, and those more generally providing “Identity and Access Management” (IAM) technology and there are also well established open source projects such as Shibboleth.
Will RA21 proactively turn off IP authentication?
- RA21 is a community wide effort seeking to develop best practices for authenticating access to information resources that work seamlessly from any device, at any time, from anywhere. Over time, we expect that information resource providers and their customers will come to believe that these mechanisms are better for users than the current reliance on outdated IP authentication. However, it is not RA21’s role to dictate to any service provider which mechanisms they should or should not support at any point in time. We anticipate a gradual transition away from IP over the coming years, with multiple mechanisms supported in parallel for some time to come. We also think it is unlikely that any specific service provider will seek to proactively disable IP until and unless barriers to implementing alternatives have been resolved and those solutions are generally acceptable to the service provider’s customers.
How can I stay informed about RA21?
- To receive regular news and updates about RA21, please fill in the ‘Contact Us’ form on this website.
How can I participate?
- Active participation in the RA21 Academic Pilots is now closed.
- Opportunities for participation by hospital librarians as part of the RA21 Hospital/ Clinical working group are still open. See the Hospital Access FAQs below for further details.
What are the terms of participation?
- RA21’s terms of participation are available on the website. Participants are required to work in an open and constructive manner. Findings, experiences and results are to be shared among all participants during and after the conclusion of a pilot. The collective results from all RA21 pilots are intended to be used to develop best practices which will be made publicly available.
What about hospital access for RA21?
- RA21 has formed the Hospital/Clinical Access Working Group which is a subcommittee of the RA21 Outreach committee. The objectives of this Working Group are to survey, identify and define the use cases/problems for accessing licensed resources from within a hospital/healthcare system that are involved with RA21 adoption and are related to RA21’s authentication use cases. Regardless of the type of user (student, intern, resident, other clinician), our focus is the access to electronic hospital library online resources (databases, books, journals, multi-media).
- The reported cases/problems may be barriers or success use cases/statements. The objective also includes understanding the unique technology context of a hospital where RA21 would be used. The final report will include three parts:
- The problem statements/use cases in a hospital/system for RA21
- An explanation of the unique terminology and technology context of a hospital where RA21 would be deployed.
- Next actions.
How can Hospital Librarians be involved?
- Please contact Julia Wallace at firstname.lastname@example.org. We plan to survey hospital librarians focusing on North America; however, English-language survey participation will be sought for Europe, Asia-Pacific and Central and South America. We also plan to host focus groups. If you are interested in disseminating the survey or being involved in focus groups, please email Julia before 31 October 2018 for Focus Group participation, and before 16 March 2019 for survey participation. For more information, please see the Hospital/Clinical Access Working Group.
How open is RA21? Will it be developing proprietary techniques or technology?
- RA21 will not build a specific technical solution or an industry-wide authentication platform, but will seek to test and improve solutions. It has, however, been identified that some lightweight, centralized infrastructure will be required for the future implementation of the RA21 solution and RA21 is be preparing for the post-project phase by identifying potential parties to operate this service.
- As a community-based development effort, we seek to make the outcomes of this project freely and publicly available. All participants should read and accept the NISO Intellectual Property Rights Policy <http://www.niso.org/apps/group_public/download.php/13500/NISO_IPR_Policy_2013.pdf>, which calls for the Free, Reasonable and Non-Discriminatory (FRAND) release of intellectual property that is incorporated into the project’s final recommendation.
Why doesn’t RA21 require all tools and software employed in the pilot to be released open source?
- We do not wish to exclude access management vendors from participating in the pilot, many of whom earn a living from providing access management software and services. However, we will not require the use of any proprietary tools or software in the final recommended best practices, which will be based on and/or extend existing open standards.