What is NIH Login?
The NIH Login Solution is an NIH Identity and Access Management service offered by CIT to provide centralized authentication and Single Sign On (SSO) capability for web based applications. The NIH Login is a "one-stop shop" which allows logins from all of NIH staff, eRA Commons, HHS employees, and various Federated partners.
What business problem does the NIH Login solve for NIH?
- Using NIH Login, users can login once to be granted access to any SSO-enabled application within NIH as well as federate with external applications seamlessly.
- Trusted user information such user profile attributes, group, roles are passed to the application in a secure fashion.
- Centralized security enforcement for authentication and authorization help applications to simplify and streamline their authentication and authorization requirements.
Why NIH Login?
- Applications are no longer required to authenticate and provision users locally.
- Users are authenticated using standards-based assertions/tokens (SAML, OAUTH).
- NIH Login will perform the necessary authentication procedures to verify the credentials of the user.
- NIH Login can also perform basic authorizations which can be a group, role and attribute based associations.
Types of authentications currently available via NIH Login
- Username/password logins supported for NIH staff, eRA Commons, HHS employees (TEST URL).
- PIV card logins supported for NIH staff and HHS employees (TEST URL).
- Two-Factor Advanced Authentication logins supported for NIH staff and HRSA staff only (TEST URL).
- Desktop SSO which is Kerberos token based logins supported for NIH staff and HRSA staff only (TEST URL).
- Web service logins supported for NIH staff.
- Federation logins supported for Research organizations via SAML, WS-Federation and Social Logins such as Google, Facebook and PayPal (TEST URL).
- Federation logins supported for NIH staff & eRA Commons via APIGateway OAuth2.0/OIDC platform (Service Discovery URL).
Recommended Approaches to utilize NIH Login
Proxy based method is an agent-less integration where the apps will rely upon NIH Login Proxy to route their web application traffic through which Single sign on token will be processed.
- Web Agent based integration for intranet hosted applications, where app owners will need to install Web Server Filter on their servers.
- SAML based integration for federated applications, where app owners will be either running a SAML compliant applications which supports SAML logins on its own such as Amazon Web Service, service now, salesforce or
app owners will need to install an open source SAML product in front of the web app in the on-premise/ cloud environment. Recommended products are available Here .
- OAuth2.0/OpenIDConnect based integration for federated applications, where app owners will be running an OAuth2/OIDC compliant applications which supports token based logins. Recommended products are available Here . You can also connect with NIH-OIDC developer's team here .
- Login webservice method for agent-less integration where the apps can rely up on the session tokens returned by the NIH login webservice calls to determine the authentication session.
How does an IC application requests to integrate with the NIH Login?