NIH iTrust

Peter Alterman/Debbie Bucci

National Institutes of HealthOctober 2010

2

Federal Agency Business Needs

• Implement SSO across an entire agency or department• Implement federated SSO across multiple organizations• Reduce IT expenses associated with custom solutions• Meet federal mandates regarding PIV/CAC• Promote both interoperability and standards• Align with FICAM’s IdM reference segment architecture• Implement a turnkey solution in a timely manner

3

Federal MandatesMandates for Federated Authentication and Personal Identity Verification (PIV) Card and Common Access Card (CAC) across the Federal Government:

• HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”

• FIPS 201-1 “Personal Identity Verification of Federal Employees and Contractors”

• NIST SP-800-63 “Electronic Authentication Guideline”• OMB M-04-04 “E-Authentication Guidance for Federal

Agencies”• OMB M-06-16 “Protection of Sensitive Agency Information”

4

NIH iTrust

• Enterprise web single sign-on (SSO) and federation services

• In production since 2003 (as NIH Login)

• Over 35,000 NIH users, 238 applications, 588 URLs

• Over 2.4 million transactions per day

• Supports Personal Identity Verification (PIV) Cards

5

Federated View

6

Federated Authentication at NIH

Trust framework provider

General Services Administration

Private-sector identity

providers

U.S. Government

websites

Assessors& auditors

Disputeresolvers

User

7

Federated Authentication at NIH

Trust framework provider

General Services Administration

Universities U.S. Government

websites

Assessors& auditors

Disputeresolvers

User

8

Federated Authentication at NIH

Trust Framework Provider: Federal PKIArchitecture

Federal Agencies

InCommon Federation Provider websites

Assessors& auditors

Disputeresolvers

User

U.S. Government

websites

9

Current Integration Projects

• NIH eVIP (electronic Vendor Invoicing Program)• NIH eRA (electronic Research Administration)• National Library of Medicine PubMed Database• HHS Healthcare Reform Implementation Tracking

Tool (HRITT)• National Interagency Confederation for Biological

Research (NICBR)

10

NIH iTrust Technology

• CA SiteMinder web access management system– User authentication and secure Internet SSO– Policy-driven authorization and federation of identities– Complete auditing of all access to the application

• Configuration to support SAML 1.1 and 2.0, OpenID 2.0, and X.509 (PIV and PKI) credentials– Cross-certified with the Federal PKI architecture

• NIH iTrust has 99.95% availability 24 x 7 x 365– Windows and Unix servers in the highly secure NIH Data

Center in Bethesda, MD– Dedicated production servers and off-site failover capabilities

Internet

Internet

NIH iTrust Agency Application(without 3rd party agent)

NIH Reverse Proxy

Identity ProviderNIH Assertion/Token Consumer

UserCredential

UserCredential

SAML

OpenID

SAML

OpenID

Identity Provider ListingService

SOAPSOAP

FederationLinks

LinkCach

e

AuthZ

HTTP Headers

HTTP Headers

SelectIDP Link

SelectIDP Link

11

rp2.consortium.gov/site2(SharePoint 2010)

WS-TrustWS-Trust

Internet

Internet

Identity Provider (IdP)

NIH

Relying Party (RP)

rp1.consortium.gov/site1(IIS)

rp-sts.consortium.gov(ADFS 2.0)

Idp1.nih.gov

Other IdP

idp2.theirdomain.com

SAMLSAML

WS-TrustWS-Trust

User/BrowserSAML

PIV Cert

PIV Cert

PIVCert

PIVCert

NTLM

A/D

WS-TrustWS-Trust

Collaborative SharePoint

12

WS –TrustRST

WS –TrustRST

Internet

Internet

Identity Provider (IdP)(OIX Certified)

Relying Party (RP)

Invoice1

Equifax

User/Browser/Card Selector

InformationCard

InformationCard

CCRSOASVC

WS-TrustWS-Trust

SAML

PayPalRSTR

RSTR

SAML

1

2

3 4

5

HTML Object TagHTML Object Tag

WS-SecurityPolicy

WS-SecurityPolicy

1. User attempts to access LOA 3 Invoice1 resource.

2-4. The user authenticates to Invoice1 using their PayPal information card

5. Invoice1 verifies the user is a trusted role using the CCR SOA service

Vendor Invoicing

13

14

NIH iTrust Demo

• Clinical and Translational Science Awards (CTSA) Wiki– http://www.ctsaweb.org/federatedhome.html

• My NCBI (PubMed/Medline access)– http://www.ncbi.nlm.nih.gov/sites/myncbi/

For Further Information

Debbie BucciManager, Integration Services CenterDivision of Enterprise and Custom ApplicationsCenter for Information TechnologyNational Institutes of HealthDebbie.Bucci@nih.gov

NIH Integration Services CenterNIHISCSupport@mail.nih.gov

15