nih login
DESCRIPTION
NIH Login. An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications. Welcome to abc.nih.gov. Welcome to def.nih.gov. Welcome to ghi.nih.gov. Please Log In. Please Log In. Please Log In. Username. Username. Username. Password. Password. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/1.jpg)
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating
Applications
![Page 2: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/2.jpg)
Welcome to abc.nih.govPlease Log In
Username
Password
Welcome to ghi.nih.govPlease Log In
Username
Password
GHI’s DBABC’s
DB
Welcome to def.nih.govPlease Log In
Username
Password
DEF’s DB
![Page 3: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/3.jpg)
Under a non-SSO enabled architecture, users must log in to each application or website each time they visit. Logging in to one site does not provide access to others.
Welcome to xyz.nih.govPlease Log In
Username
Password
XYZ’s DB
Welcome to abc.nih.govPlease Log In
Username
Password
ABC’s DB
![Page 4: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/4.jpg)
NIH Login◦ NIH AD and NIH External user name password◦ HHS issued Personal Identification Verification (PIV) smart card◦ eRA Commons OID user name password
Federation◦ InCommon federation credentials
http://www.incommonfederation.org/participants/
◦ OpenID Foundation http://openid.net/u-s-government-openid-pilot-program-participants/
![Page 5: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/5.jpg)
Using NIH Login, users can login once to be granted access to any SSO-enabled application within NIH.
![Page 6: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/6.jpg)
Applications are no longer required to perform authentication procedures
Users are authenticated by NIH AD, NIH Ext, and eRA Commons.
Login information is passed to the application from NIH Login via HTTP headers
WelcomePlease Log In
Username
Password
XYZ’s DB
Homepage
Welcome, Authenticated User!
![Page 7: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/7.jpg)
As long as the visitor continues using the browser window through which he or she logged in (or a child window), all SSO-enabled applications for which the user is authorized may be accessed.
WelcomePlease Log In
UsernamePassword
XYZ’s DB
App. #1
Welcome
WelcomePlease Log In
UsernamePassword
XYZ’s DB
App. #2
Welcome
WelcomePlease Log In
UsernamePassword
XYZ’s DB
App. #3
Welcome
WelcomePlease Log In
UsernamePassword
DB
App. #4
Welcome
![Page 8: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/8.jpg)
NIH Login uses CA SiteMinder software
Upon receiving a request, the client web server invokes the web agent.
The web agent checks with the policy server to see whether the site is protected by NIH Login or federation.
If the site is protected and the user is not yet authenticated, the NIH Login or federation screen is shown and login is required
Webserver
Web
Agent
Policy Server
AD
Client Side NIH Login
AD
![Page 9: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/9.jpg)
Using the federation components of NIH Login, external users can be granted access to web applications within NIH using their “home” credentials.
![Page 10: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/10.jpg)
Applications are no longer required to authenticate and provision external users locally.
Users are authenticated using standards-based assertions/tokens (SAML, OpenID, WS-Federation, etc).
User authentication attributes are passed to the application via HTTP headers
WelcomePlease Log In
Username
Password
XYZ’s DB
Homepage
Welcome, Authenticated User!
![Page 11: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/11.jpg)
Federation also uses CA SiteMinder software
Upon receiving a request, the client web server invokes the web agent.
The web agent checks with the policy server to see whether the site is protected by federation.
If the site is protected and the user is not yet authenticated, the federation screen is shown and the user chooses their “home” organization.
After the user authenticates at their “home” organization, they are returned to their requested NIH application.
Web Server
Web
Agent
Policy Server
Client
Side
NIH Login w/ Federation
Home Org
Home Org
Selector
Identity
Provider
![Page 12: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/12.jpg)
NIH Login will perform the necessary authentication procedures to verify the credentials of the user
NIH Login can also perform basic authorization◦ Authorization is based on active directory groups◦ Groups must exist or be created in the NIH AD for NIH
Login and LDAP_ALL for federation
![Page 13: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/13.jpg)
Your part: In order to use NIH Login, the application’s web server must run an executable known as a web agent. The web agent is available for various operating systems including Windows, Solaris and Linux. The simple installation/configuration process may be performed by your team or by a member of the NIH Login team if granted access to the server.
Our part: The NIH Login team must first configure the NIH Login policy server to expect connections from the web agent. We will then send you technical information to allow you to connect your web agent to the policy server.
Application owners or technical contacts should provide operating system and web server information to the NIH Login team via the NIH Login Request Form (see contact information below for requests).
![Page 14: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/14.jpg)
Applications integrating with NIH Login will need to remove their existing login procedures. This includes:◦ Altering HTML to remove login screen◦ Changing code (e.g. ASP, JSP, ColdFusion) to receive HTTP
header information from NIH Login Values include username, full name, email, etc. These values can be used to populate data that is needed by the
application◦ Using the information received to proceed with your application’s
tasks Code change requirements are usually minimal
![Page 15: NIH Login](https://reader035.vdocuments.us/reader035/viewer/2022062518/568148e5550346895db5ffc1/html5/thumbnails/15.jpg)
For more information, please contact:◦ Jeff Erickson – [email protected]◦ NIH Login support group – [email protected]