Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.

Federated Authentication at NIH: Federated Authentication at NIH: Trusting External Credentials at Trusting External Credentials at

Known Levels of AssuranceKnown Levels of Assurance

Debbie Bucci and Peter AltermanNovember, 2009

Page 2

Context

• Background and History

• InCommon (Shibboleth-SAML)

• OpenID

• PKI and PIV

• Future Plans

integration Services Center (ISC)Contact: [email protected]

Page 3

About NIHAbout NIH


• National Institutes of Health (NIH)• Part of the U.S. Dept. of Health & Human Services• Primary Federal

agency for conducting

and supporting

biomedical research

Page 4

NIH LoginNIH Login


NIH Login is the first Federated Identity

Management service initiated at NIH and has been in production since February 2003.

Page 5

Consuming Many Credential Technologies,Consuming Many Credential Technologies,Federations and Trust Framework ProvidersFederations and Trust Framework Providers


1. Validating credentials2. Processing Levels of Assurance3. Passing valid assertions and LOA to applications

Powered by CA SiteMinder

Page 6

NIH Login TodayNIH Login Today

• Supports approximately internal and external 35,000 users

• Number of systems:– 202 Service Level Agreements– 450 URLs

• Over 1 million transactions per day


Page 7

External Users External Users


NIH provides financial support to researchers around the world.

NIH invests over $28 billion in medical research each year.

7

$28 Billion in Medical Research

83% goes to almost 50,000 competitive grants that support over 325,000 researchers outside of

NIH.

Page 8Website: http://EnterpriseArchitecture.nih.govContact: [email protected]

NIH Federated LoginNIH Federated Login


Federal GovernmentFederal Government

• SAML Identity Providers – Northrop Grumman’s GovTrip, InCommon Wiki, Indiana CTS

• Federated with other HHS agencies– Food and Drug Administration (ADFS 1.0)– HHS Shared Services – Health Resources and Services Administration

• NIH PIV– Level 3 software certificates at FPKI Medium– Level 4 PIV cards at FPKI High

• Certificates cross-certified with Federal Bridge– DOD and Aerospace– SAFE Pharma– Other agencies


NIH and InCommonNIH and InCommon


NIH and InCommon – FutureNIH and InCommon – Future

• LOA - 2 (silver) Pilot with e-Grants – Production expected in FY11 with 200,000

users• Additional Services:

– Multiple Institute/Center SharePoint instances– Proxy to multiple managed services– Additional scientific wikis


NIH and OpenIDNIH and OpenID

• Current Status: Full implementation pending OpenID Foundation approval as Trust Framework Provider and Foundation members’ compliance with Federal OpenID profile and scheme

• Early LOA-1 applications targeting use of OpenID credentials National Library of Medicine Medical wikis Conference registration Regional library access Others

• Early OpenID providers Google Yahoo AOL Microsoft


Next StepsNext Steps

• Production service with OpenID member credential providers

• InCommon member credential providers at LOA-2• Continue adding NIH and other Agency apps as relying

parties• Add InfoCard to the mix – open NIH-wide• Identity Provider discovery/workflow – need to present a

scalable, user-friendly interface


Contact Information

• NIH Federated Login– http://federatedidentity.nih.gov– http://isc.nih.gov– [email protected]

• NIHEnterprise Architecture– http://enterprisearchitechure.nih.gov

• NIH Enterprise Architecture Community in the NIH Portal– [email protected]

Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.

Documents

usersadditional services

nih login todaysupports

external credentials

federated authentication

institutes of health

egrants production

fpki mediumlevel

hhs agenciesfood