Identification and Authentication Brick

This standard establishes NIH Login as the required method of implementing authentication in web-based applications at the NIH. Authenticated identities are the basis for many other information security services. Therefore, NIH needs to:

• Verify user identity as the basis for access control to NIH resource
• Control individual user access to the resources and services provided by those systems 
• Create an audit trail of individual user access or attempted access to those systems, resources and services

Authentication services are crucial to access control and auditing services. If users' identities are not properly authenticated, NIH has no assurance that access to resources and services are properly controlled. In most situations, User ID and password combinations will provide an appropriate level of security if the User ID and password conform to NIH policy. However, NIH will implement stronger authentication for enterprise users with high system privileges (e.g. system, network and security administrators).

NIH Login shall be used by web-based applications for user authentication.

• Tactical and Strategic products were selected to leverage NIH’s investment in technologies that are a proven fit for NIH’s known future needs.  Leveraging baseline products in the future will minimize the operations, maintenance, support and training costs for new products. 
• As the purpose of this standard is to standardize Identification and Authentication for NIH applications through use of NIH Login, NIH Login is the only selection for Tactical and Strategic technologies and shall be used by new web-based applications requiring authentication functionality.
• The NIH Login, itself, is the proposed standard and does not denote a specific supporting technology.
• Currently, NIH Login utilizes CA SiteMinder.