Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009
Page 2 Context Background and History InCommon (Shibboleth-SAML) OpenID PKI and PIV Future Plans integration Services Center (ISC) Contact:
Page 3 About NIH integration Services Center (ISC) Contact: National Institutes of Health (NIH) Part of the U.S. Dept. of Health & Human Services Primary Federal agency for conducting and supporting biomedical research
Page 4 NIH Login integration Services Center (ISC) Contact: NIH Login is the first Federated Identity Management service initiated at NIH and has been in production since February 2003.
Page 5 Consuming Many Credential Technologies, Federations and Trust Framework Providers integration Services Center (ISC) Contact: 1.Validating credentials 2.Processing Levels of Assurance 3.Passing valid assertions and LOA to applications Powered by CA SiteMinder
Page 6 NIH Login Today Supports approximately internal and external 35,000 users Number of systems: –202 Service Level Agreements –450 URLs Over 1 million transactions per day integration Services Center (ISC) Contact:
Page 7 External Users integration Services Center (ISC) Contact: NIH provides financial support to researchers around the world. NIH invests over $28 billion in medical research each year. 7 $28 Billion in Medical Research 83% goes to almost 50,000 competitive grants that support over 325,000 researchers outside of NIH.
Page 8 Website: Contact: NIH Federated Login NIH Federated Login
Page 9 Website: Contact: Federal Government SAML Identity Providers –Northrop Grumman’s GovTrip, InCommon Wiki, Indiana CTS Federated with other HHS agencies –Food and Drug Administration (ADFS 1.0) –HHS Shared Services –Health Resources and Services Administration NIH PIV –Level 3 software certificates at FPKI Medium –Level 4 PIV cards at FPKI High Certificates cross-certified with Federal Bridge –DOD and Aerospace –SAFE Pharma –Other agencies
Page 10 Website: Contact: NIH and InCommon Dec Pilot with NSF FastLane June Signed MOA with InCommon for LOA-1 Aug First InCommon/NIH application –Public Information Officers Federated SharePoint Feb NCRR enabled two major applications –Progress Reports –CTSA wiki In process: NIH Electronic Research Administration systems (LOA-2)
Page 11 Website: Contact: NIH and InCommon – Future LOA - 2 (silver) Pilot with e-Grants –Production expected in FY11 with 200,000 users Additional Services: –Multiple Institute/Center SharePoint instances –Proxy to multiple managed services –Additional scientific wikis
Page 12 Website: Contact: NIH and OpenID Current Status: Full implementation pending OpenID Foundation approval as Trust Framework Provider and Foundation members’ compliance with Federal OpenID profile and scheme Early LOA-1 applications targeting use of OpenID credentials National Library of Medicine Medical wikis Conference registration Regional library access Others Early OpenID providers Google Yahoo AOL Microsoft
Page 13 Website: Contact: Next Steps Production service with OpenID member credential providers InCommon member credential providers at LOA-2 Continue adding NIH and other Agency apps as relying parties Add InfoCard to the mix – open NIH-wide Identity Provider discovery/workflow – need to present a scalable, user-friendly interface
Page 14 Website: Contact: Contact Information NIH Federated Login – – NIHEnterprise Architecture – NIH Enterprise Architecture Community in the NIH Portal