NIH Federated Identity Service

Would you like to work more closely with extramural organizations but find the exchange of information hobbled by separate security standards and multiple authentication processes?

If your willingness to share access to NIH systems, data sources, and collaborative online tools with non-NIH partners has been dampened by the hassle and cost of setting up, maintaining, and authenticating separate user accounts, consider this scenario:

A researcher from Johns Hopkins University wishes to participate in a scientific wiki created by an NIH IC. She simply uses her own login credentials from JHU to access the site – without first undergoing a lengthy credentialing process to prove her identity to NIH. There is no separate account to maintain and no new password to remember – secure shared access across institutions is easy and seamless.

If this sounds highly desirable but unrealistic, here is some good news. It is a reality now, thanks to the NIH Federated Identity Service.

What is the NIH Federated Identity Service?

NIH Federated Identity Service aims to streamline interagency collaboration between NIH and outside institutions, such as universities, other Department of Health and Human Services (HHS) Operating Divisions (OPDIVs), and other federal agencies. By allowing authorized individuals to use a single name, password, or other identity to access multiple applications or data sources, collaboration is both secure and seamless.

Specifically, NIH Federated Identity Service cuts out a cumbersome separate authentication process usually required for cross-organizational cooperation. Instead of verifying user IDs separately through NIH, Federated Identity grants members secure access to NIH applications and systems by relying on the outside organization’s authentication process and accepting the same user name, password, or other personal identification already authenticated by the user’s home organization.

To enable this kind of shared access, the service relies on open industry standards and/or openly published specifications, leverages existing technology and infrastructure, such as Web 2.0 tools, and supports and promotes interoperability.

How does it work?

NIH Federated Identity Service uses the concept of “federation” to solve the problem of separate identity authentication standards that complicates sharing access among different groups. Federation refers to an association of organizations that agree to a shared set of policies, definitions, and security standards in their authentication processes. Each member of a federated group acts as an identity credential provider for its own users, but, also accepts the user authentication process of the other members when granting access to the users of the “federated” organizations. In this way, NIH Federated Identity Service maintains user privacy, by keeping the users’ credentialing process within their home organization, while enabling more seamless collaborations and transactions between federated organizations that can trust each other’s identity authentication.

How does this work for the individual users accessing applications or systems under Federated Identity? It’s easy: the Johns Hopkins-based researcher mentioned earlier simply visits the shared wiki page hosted by NIH, and, when logging in, selects her home institution from a drop-down menu. Then, since JHU is federated with NIH, she logs in using her home institution-assigned username and password. It’s that simple.

Who is using it?

As of November 2008, the NIH Federated Identity Service served 16 applications at NIH. There are additional applications in the development stage for federation that are starting production in early 2009. Users at other institutions, which include universities and colleges such as Johns Hopkins University, Duke University, and Ohio State University, can interact with these applications with their own organization’s login. Potentially, about 2.2 million users from InCommon member institutions could be authorized to use NIH applications.

This year, the National Center for Research Resources (NCRR) plans to make its Clinical & Translational Science Awards (CTSA) Wiki one of the first NIH systems to be federated with non-government institutions. They will use NIH Federated Identity Service to ease access to the wiki — an online, restricted-access, collaborative work environment for members of the CTSA Consortium that currently supports 1,200 members at 38 universities. The switch is scheduled to take place in the first quarter of the year.

Among other NIH services accepting external credentials through NIH Federated Identity Service are: the new website “NIH Network for Public Information Officers (PIOs),” providing a shared workspace for communications professionals at NIH and their colleagues at NIH-funded institutions, and FDA ITAS Time and Attendance, which is hosted in the NIH Data Center.

Additional pilots of the service, readying for production this year, include the electronic Research Administration (eRA) and the NIH Portal.

Why use the service?

Along with providing more seamless collaboration between NIH stakeholders and outside users, NIH Federated Identity Service also offers the following advantages:

• Reduces IT expenses — NIH Federated Identity Service removes the need to set up and maintain extra user accounts for outside users;


• Frees up Help Desk resources — Your IT Help Desk no longer has to support extramural users who have forgotten their password (again);


• Eases access for users — Access through NIH Federated Identity Service means that users have one less password/userid to remember;


• Lessens incidences of forgotten or expired passwords — Because the password they are using is the one they use regularly in their home organization, infrequent visitors to a federated system no longer have to worry about encountering an expired password they now can't remember;


• Preserves user privacy — Because federation relies on the authentication process of each user's home identity credential provider, other organizations have no reason to delve into the user's personal information—it stays within the home organization;


• Eases the use of Web 2.0 tools — NIH Federated Identity Service enables seamless but secure access to shared applications or systems, encouraging the use of Web 2.0 tools to promote secure information sharing and collaboration;


• Offers high level of portability — NIH Federated Identity Service adheres to widely accepted, shared principles, so it is not tied to any specific protocol, technology, implementation, or vendor.

Measureable results and evidence of success

The NIH Federated Identity Service has received recognition as the first federated SharePoint service in the country. In July 2008, the Federated Identity team was awarded the prestigious NIH Director’s Award: “In recognition of ground-breaking work to provide improved ability to collaborate with NIH stakeholders using Federated Authentication” (NIH Director’s Award Citation, July 2008). This year, the NIH Federated Identity Service was honored with the Government Information Technology Executive Council’s (GITEC) 2009 Project Management Excellence Award (February 2009).

CIT receives many requests from NIH Institutes and Centers to consult on setting up the environment necessary to participate in Federated Identity. There are numerous pilot projects now underway to take advantage of the NIH Federated Identity Service for additional NIH applications. CIT also receives inquiries from other federal agencies to help set up their own Federation system, as well as requests from medical schools and research facilities to learn more about participation. Federated Identity team members are often invited to give presentations at major IT conferences, such as this year’s Information Processing Interagency Conference (IPIC), where the NIH Federated Identity Service was the focus of CIT’s exhibit (see also “CIT Participates in IPIC 2009 Conference” in this issue).

NIH service offering

We offer the following options for the NIH Federated Identity Service:

• Participation in the service for application owners (free at NIH, cost-recovery basis for HHS and other participating federal agencies)


• Consulting services (on a cost-recovery basis) for other federal agencies that want to set up their own Federated Identity Service


• SharePoint hosting services in our secure Data Center for an outside agency's Federated Identity Service (using NIH servers on a cost-recovery basis)

Technical issue: data security

The key to Federated Identity is the authentication process. The NIH Federated Identity Service depends on the ability to securely share assertions between the Service Provider, or Relying Party, and the Identity Provider. NIH has successfully used Security Assertion Markup Language (SAML) and Web Services (WS)-Federation as the protocols to facilitate the identity authentication.

WS-Federation provides a basic model for federation between Identity Providers and Relying Parties. FDA ITAS (Integrated Time and Attendance System), the federated project between the Food and Drug Administration (FDA) and NIH, uses WS-Federation via Active Directory Federated Services (ADFS) to share assertions.

SAML: NIH partners with the InCommon Federation as a certified Identity Credential Provider. InCommon uses SAML-based authentication and authorization systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants. InCommon also offers identity assurance profiles that are consistent with the federal government's levels of assurance (LOA) 1 and will soon offer LOA 2, as described in NIST Special Publication 800-63. For a list of InCommon participants, see the InCommon website (http://www.incommonfederation.org/participants/).

Both mechanisms (InCommon and WS-Federation/ADFS) broker identities and attributes, and authenticate and authorize claims, while protecting the privacy of those participating in the NIH Federated Identity Service. The goal is to provide a common infrastructure for performing Federated Identity operations for both web services and browser-based applications.

The NIH Federated Identity Service runs on Windows and Unix servers in the highly-secure NIH Data Center at NIH in Bethesda, Maryland and at an off-site disaster recovery facility.

Future goals

The goal is to expand the service to use the Federal Bridge (still in the development stage) for credentialing acceptance between government agencies.

CIT plans to make the NIH Federated Identity Service a commoditized authentication service with all the necessary infrastructure and procedures defined, established, and set in place. Standardizing procedures in this way will allow quick, easy, and efficient federalization (through InCommon, the Federal Bridge, or ADFS Fed) of any additional applications.

More information

You can find more information about Federated Identity at the NIH Federated Identity page (http://federatedidentity.nih.gov) or on the NIH Enterprise Architecture website (http://EnterpriseArchitecture.nih.gov) or through the NIH Enterprise Architecture Community in the NIH Portal (EnterpriseArchitecture@mail.nih.gov).

Getting started

If you’d like to join the NIH Federated Identity Service, send requests for contact to nihfederationrequest@mail.nih.gov.

For technical help, contact the NIH Help Desk at http://ithelpdesk.nih.gov/support, or by phone at 301-496-4357 (6-HELP) (local), 866-319-4357 (toll free), or 301-496-8294 (TTY).

Back to top of page