NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
2
Federal Agency Business Needs
• Implement SSO across an entire agency or department• Implement federated SSO across multiple organizations• Reduce IT expenses associated with custom solutions• Meet federal mandates regarding PIV/CAC• Promote both interoperability and standards• Align with FICAM’s IdM reference segment architecture• Implement a turnkey solution in a timely manner
3
Federal MandatesMandates for Federated Authentication and Personal Identity Verification (PIV) Card and Common Access Card (CAC) across the Federal Government:
• HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
• FIPS 201-1 “Personal Identity Verification of Federal Employees and Contractors”
• NIST SP-800-63 “Electronic Authentication Guideline”• OMB M-04-04 “E-Authentication Guidance for Federal
Agencies”• OMB M-06-16 “Protection of Sensitive Agency Information”
4
NIH iTrust
• Enterprise web single sign-on (SSO) and federation services
• In production since 2003 (as NIH Login)
• Over 35,000 NIH users, 238 applications, 588 URLs
• Over 2.4 million transactions per day
• Supports Personal Identity Verification (PIV) Cards
6
Federated Authentication at NIH
Trust framework provider
General Services Administration
Private-sector identity
providers
U.S. Government
websites
Assessors& auditors
Disputeresolvers
User
7
Federated Authentication at NIH
Trust framework provider
General Services Administration
Universities U.S. Government
websites
Assessors& auditors
Disputeresolvers
User
8
Federated Authentication at NIH
Trust Framework Provider: Federal PKIArchitecture
Federal Agencies
InCommon Federation Provider websites
Assessors& auditors
Disputeresolvers
User
U.S. Government
websites
9
Current Integration Projects
• NIH eVIP (electronic Vendor Invoicing Program)• NIH eRA (electronic Research Administration)• National Library of Medicine PubMed Database• HHS Healthcare Reform Implementation Tracking
Tool (HRITT)• National Interagency Confederation for Biological
Research (NICBR)
10
NIH iTrust Technology
• CA SiteMinder web access management system– User authentication and secure Internet SSO– Policy-driven authorization and federation of identities– Complete auditing of all access to the application
• Configuration to support SAML 1.1 and 2.0, OpenID 2.0, and X.509 (PIV and PKI) credentials– Cross-certified with the Federal PKI architecture
• NIH iTrust has 99.95% availability 24 x 7 x 365– Windows and Unix servers in the highly secure NIH Data
Center in Bethesda, MD– Dedicated production servers and off-site failover capabilities
Internet
Internet
NIH iTrust Agency Application(without 3rd party agent)
NIH Reverse Proxy
Identity ProviderNIH Assertion/Token Consumer
UserCredential
UserCredential
SAML
OpenID
SAML
OpenID
Identity Provider ListingService
SOAPSOAP
FederationLinks
LinkCach
e
AuthZ
HTTP Headers
HTTP Headers
SelectIDP Link
SelectIDP Link
11
rp2.consortium.gov/site2(SharePoint 2010)
WS-TrustWS-Trust
Internet
Internet
Identity Provider (IdP)
NIH
Relying Party (RP)
rp1.consortium.gov/site1(IIS)
rp-sts.consortium.gov(ADFS 2.0)
Idp1.nih.gov
Other IdP
idp2.theirdomain.com
SAMLSAML
WS-TrustWS-Trust
User/BrowserSAML
PIV Cert
PIV Cert
PIVCert
PIVCert
NTLM
A/D
WS-TrustWS-Trust
Collaborative SharePoint
12
WS –TrustRST
WS –TrustRST
Internet
Internet
Identity Provider (IdP)(OIX Certified)
Relying Party (RP)
Invoice1
Equifax
User/Browser/Card Selector
InformationCard
InformationCard
CCRSOASVC
WS-TrustWS-Trust
SAML
PayPalRSTR
RSTR
SAML
1
2
3 4
5
HTML Object TagHTML Object Tag
WS-SecurityPolicy
WS-SecurityPolicy
1. User attempts to access LOA 3 Invoice1 resource.
2-4. The user authenticates to Invoice1 using their PayPal information card
5. Invoice1 verifies the user is a trusted role using the CCR SOA service
Vendor Invoicing
13
14
NIH iTrust Demo
• Clinical and Translational Science Awards (CTSA) Wiki– http://www.ctsaweb.org/federatedhome.html
• My NCBI (PubMed/Medline access)– http://www.ncbi.nlm.nih.gov/sites/myncbi/
For Further Information
Debbie BucciManager, Integration Services CenterDivision of Enterprise and Custom ApplicationsCenter for Information TechnologyNational Institutes of [email protected]
NIH Integration Services [email protected]
15