NIH LOGIN SERVICES (Formerly ITRUST)
What is NIH Login?
The NIH Login Solution is an NIH Identity and Access Management service offered by CIT to provide centralized
authentication and Single Sign On (SSO) capability for web-based applications. The NIH Login is a "one-stop shop"
which allows logins from all of NIH staff, eRA Commons, HHS employees, and various Federated partners.
What business problem does the NIH Login solve for NIH?
- Using NIH Login, users can login once to be granted access to any SSO-enabled application within NIH as well as federate with external applications seamlessly.
- Trusted user information such user profile attributes, group, roles are passed to the application in a secure fashion.
- Centralized security enforcement for authentication and authorization help applications to simplify and streamline their authentication and authorization requirements.
Why NIH Login?
- Applications are no longer required to authenticate and provision users locally.
- Users are authenticated using standards-based assertions/tokens (SAML, OAUTH).
- NIH Login will perform the necessary authentication procedures to verify the credentials of the user.
- NIH Login can also perform basic authorizations which can be a group, role and attribute based associations.
Types of Authentications Currently Available via NIH Login
- Username/password logins supported for NIH staff, eRA Commons, HHS employees.
- PIV card logins supported for NIH staff and HHS employees.
- Two-Factor Advanced Authentication logins supported for NIH staff and HRSA staff only.
- Desktop SSO which is Kerberos token based logins supported for NIH staff and HRSA staff only.
- Web service logins supported for NIH staff.
- Federation logins supported for Login.gov, Research organizations via SAML (InCommon), WS-Federation and Social Logins such as Google, Facebook, Microsoft Live and PayPal.
- Federation logins supported for NIH staff & eRA Commons via API Gateway OAuth2.0/OIDC platform (Service Discovery URL).
Recommended Approaches to Utilize NIH Login
- Web Agent based integration for intranet hosted applications, where app owners will need to install Web Server Filter on their servers.
- SAML-based integration for federated applications, where app owners will be either running a SAML compliant applications which supports SAML logins on its own such as Amazon Web Service, service now, salesforce or app owners will need to install an open source SAML product in front of the web app in the on-premise/ cloud environment.
- OAuth2.0/OpenIDConnect based integration for federated applications, where app owners will be running an
OAuth2/OIDC compliant applications which supports token based logins. You can also
connect with NIH-OIDC developer's team.
- Researcher Auth Service (RAS) integration. RAS utilizes OAuth2/OIDC for GA4GH compliant integrations of applications for researcher access to NIH data repositories and systems.
- Login webservice method for agent-less integration where the apps can rely up on the session tokens returned by the NIH login webservice calls to determine the authentication session.
- Proxy based method is an agent-less integration where the apps will rely upon NIH Login Proxy to route their web application traffic through which Single sign on token will be processed.
How does an IC Application Requests to Integrate with the NIH Login?
For More Information: Please contact the CIT IAM Services Support Team or Jeff Erickson.