Security Requirements FAQs
First, research institutions must send NIH the following five attributes:
(https://spaces.at.internet2.edu/display/federation/Identity+provider+-+support+Research+and+Scholarship)
(https://refeds.org/category/research-and-scholarship)
Second, research institutions must send a record that the researcher logged in using multi-factor authentication (MFA). This means that in addition to user ID and password, researchers must use a second factor such as a One-Time-Passcode (OTP) or a hardware multi-factor token.
Third, research institutions must indicate how sure they are about the identity of the individual. This is usually tied to the research institution’s identity verification process.
| Attribute | Sample Value |
|---|---|
| First name | John |
| Last name | Smith |
| Email address | John.smith@wisc.edu |
| EPPN (eduPersonPrincipalName) | John.smith@wisc.edu |
| Organization | University of Wisconsin-Madison |
| EduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) | D5JUUoGCjTIuRtOkKzW5oRk3l/w= |
Second, research institutions must send a record that the researcher logged in using multi-factor authentication (MFA). This means that in addition to user ID and password, researchers must use a second factor such as a One-Time-Passcode (OTP) or a hardware multi-factor token.
Third, research institutions must indicate how sure they are about the identity of the individual. This is usually tied to the research institution’s identity verification process.
Please contact your University Admins and have them release the NIH SP requested attributes.
An Identity Provider (IdP) is a service that stores and verifies user identity, or a service that allows users to sign in. Educational institutions, research organizations, and commercial resource providers are examples of Identity Providers.
A service provider is a vendor that provides IT solutions and/or services to end users and organizations.
The NIH Service Provider (SP) controls access by scientists, researchers, and collaborators worldwide to protected NIH systems and sites across all NIH Institutes, Centers, and Offices. To access resources protected by the NIH SP, external requestors are required to authenticate (often using multifactor authentication) and grant the release of a limited set of information such as name, email, and affiliation.
The NIH Service Provider (SP) controls access by scientists, researchers, and collaborators worldwide to protected NIH systems and sites across all NIH Institutes, Centers, and Offices. To access resources protected by the NIH SP, external requestors are required to authenticate (often using multifactor authentication) and grant the release of a limited set of information such as name, email, and affiliation.
Multi-Factor Authentication (MFA) is an authentication method that requires you to provide two or more verification factors to sign in. For example, this may be a one-time passcode sent to your email or phone.
NIH, a Service Provider (SP), has adopted REFEDS MFA Profile so that we can provision and manage efficient and secure access for people accessing NIH resources. eduGAIN members and research and education identity federations are expected to honor the REFEDS authentication request, perform the MFA, and signal back REFEDS MFA profile. This assures NIH of strong authentication, or provides a greater level of confidence that you are who you say you are.
NIH, a Service Provider (SP), has adopted REFEDS MFA Profile so that we can provision and manage efficient and secure access for people accessing NIH resources. eduGAIN members and research and education identity federations are expected to honor the REFEDS authentication request, perform the MFA, and signal back REFEDS MFA profile. This assures NIH of strong authentication, or provides a greater level of confidence that you are who you say you are.
Identity Verification is a security measure that requires you to provide additional proof about who you are, such as a Driver’s license, passport, or other government-issued ID document.
eduGAIN members and research and education identity federations are expected to follow REFEDS assurance framework. This framework specifies that after proofing the person’s identity, IdPs need to store the Identity Assurance Profile (IAP) value at which they were proofed at (/IAP/low,/IAP/medium,/IAP/high) and send these values as part of SAML attributes to NIH Service Provider (SP).
eduGAIN members and research and education identity federations are expected to follow REFEDS assurance framework. This framework specifies that after proofing the person’s identity, IdPs need to store the Identity Assurance Profile (IAP) value at which they were proofed at (/IAP/low,/IAP/medium,/IAP/high) and send these values as part of SAML attributes to NIH Service Provider (SP).
When a person on-boards to an organization such as a new employer, a new school, gets a new utility or bank account, etc, the organization often has an interest in validating who the person says they are. Identity proofing is the process of validating a claimed identity.
An Identity Assurance Profile (IAP) is a specification that defines a level of assurance of an identity proofing process, ie, it answers the question “How well does your identity proofing process let you be sure that the person is actually who they claim to be?” There are many such specifications, and NIH has chosen to follow the REFEDS Assurance Framework (RAF) as the lingua franca for communicating claims of identity assurance level.
RAF has four IAPs: Low, Moderate, High, and local-enterprise. The first three are defined by reference to one of several different identity assurance specifications produced by external standards-setting bodies. The local-enterprise value is used by the organization to claim that, however it does identity proofing, it is satisfied enough that the person has or could have access to internal administrative systems operated by the organization.
If the identity proofing process used to validate the identity of the person logging in meets any of these criteria, corresponding values are sent by the IdP to the SP using a standardized attribute established to convey assurance related information. This approach lets each NIH service with an identity assurance requirement select the level of assurance it requires from this set of four possible IAPs.
Types of REFEDS assurance profiles used by NIH:
Cappuccino: Low-risk research use cases
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
Espresso: Use cases requiring verified identity
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
• https://refeds.org/assurance/IAP/high
• https://refeds.org/assurance/IAP/local-enterprise
An Identity Assurance Profile (IAP) is a specification that defines a level of assurance of an identity proofing process, ie, it answers the question “How well does your identity proofing process let you be sure that the person is actually who they claim to be?” There are many such specifications, and NIH has chosen to follow the REFEDS Assurance Framework (RAF) as the lingua franca for communicating claims of identity assurance level.
RAF has four IAPs: Low, Moderate, High, and local-enterprise. The first three are defined by reference to one of several different identity assurance specifications produced by external standards-setting bodies. The local-enterprise value is used by the organization to claim that, however it does identity proofing, it is satisfied enough that the person has or could have access to internal administrative systems operated by the organization.
If the identity proofing process used to validate the identity of the person logging in meets any of these criteria, corresponding values are sent by the IdP to the SP using a standardized attribute established to convey assurance related information. This approach lets each NIH service with an identity assurance requirement select the level of assurance it requires from this set of four possible IAPs.
Types of REFEDS assurance profiles used by NIH:
Cappuccino: Low-risk research use cases
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
Espresso: Use cases requiring verified identity
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
• https://refeds.org/assurance/IAP/high
• https://refeds.org/assurance/IAP/local-enterprise
Please visit https://www.incommon.org/help/ for more information
NIH SP entity ID’s listed in the metadata (both InCommon and eduGAIN) are as follows:
DEV = https://federationdev.nih.gov/FederationGateway
STAGE = https://federationstage.nih.gov/FederationGateway
PROD = https://federation.nih.gov/FederationGateway
View additional info about NIH SP metadata at:
DEV = Metadata Explorer Tool (refeds.org)
STAGE = Metadata Explorer Tool (refeds.org)
PROD = Metadata Explorer Tool (refeds.org)
Please modify your IdP’s attribute release policy as follows:
<AttributeFilterPolicy id="national_institutes_of_health_PROD">
<PolicyRequirementRule xsi:type="Requester" value="https://federation.nih.gov/FederationGateway" />
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true"/>
<AttributeRule attributeID="eduPersonAssurance" permitAny="true"/>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="national_institutes_of_health_STAGE">
<PolicyRequirementRule xsi:type="Requester" value="https://federationstage.nih.gov/FederationGateway" />
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true"/>
<AttributeRule attributeID="eduPersonAssurance" permitAny="true"/>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="national_institutes_of_health_DEV">
<PolicyRequirementRule xsi:type="Requester" value="https://federationdev.nih.gov/FederationGateway" />
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true"/>
<AttributeRule attributeID="eduPersonAssurance" permitAny="true"/>
</AttributeFilterPolicy>
DEV = https://federationdev.nih.gov/FederationGateway
STAGE = https://federationstage.nih.gov/FederationGateway
PROD = https://federation.nih.gov/FederationGateway
View additional info about NIH SP metadata at:
DEV = Metadata Explorer Tool (refeds.org)
STAGE = Metadata Explorer Tool (refeds.org)
PROD = Metadata Explorer Tool (refeds.org)
Please modify your IdP’s attribute release policy as follows: