Security Requirements FAQs
First, research institutions must send NIH the following five attributes:
(https://spaces.at.internet2.edu/display/federation/Identity+provider+-+support+Research+and+Scholarship)
(https://refeds.org/category/research-and-scholarship)
Second, research institutions must send a record that the researcher logged in using multi-factor authentication (MFA). This means that in addition to user ID and password, researchers must use a second factor such as a One-Time-Passcode (OTP) or a hardware multi-factor token.
Third, research institutions must indicate how sure they are about the identity of the individual. This is usually tied to the research institution’s identity verification process.
| Attribute | Sample Value |
|---|---|
| First name | John |
| Last name | Smith |
| Email address | John.smith@wisc.edu |
| EPPN (eduPersonPrincipalName) | John.smith@wisc.edu |
| Organization | University of Wisconsin-Madison |
| EduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) | D5JUUoGCjTIuRtOkKzW5oRk3l/w= |
Second, research institutions must send a record that the researcher logged in using multi-factor authentication (MFA). This means that in addition to user ID and password, researchers must use a second factor such as a One-Time-Passcode (OTP) or a hardware multi-factor token.
Third, research institutions must indicate how sure they are about the identity of the individual. This is usually tied to the research institution’s identity verification process.
Please contact your University Admins and have them release the NIH SP requested attributes.
An Identity Provider (IdP) is a service that stores and verifies user identity, or a service that allows users to sign in. Educational institutions, research organizations, and commercial resource providers are examples of Identity Providers.
A service provider is a vendor that provides IT solutions and/or services to end users and organizations.
The NIH Service Provider (SP) controls access by scientists, researchers, and collaborators worldwide to protected NIH systems and sites across all NIH Institutes, Centers, and Offices. To access resources protected by the NIH SP, external requestors are required to authenticate (often using multifactor authentication) and grant the release of a limited set of information such as name, email, and affiliation.
The NIH Service Provider (SP) controls access by scientists, researchers, and collaborators worldwide to protected NIH systems and sites across all NIH Institutes, Centers, and Offices. To access resources protected by the NIH SP, external requestors are required to authenticate (often using multifactor authentication) and grant the release of a limited set of information such as name, email, and affiliation.
Multi-Factor Authentication (MFA) is an authentication method that requires you to provide two or more verification factors to sign in. For example, this may be a one-time passcode sent to your email or phone.
NIH, a Service Provider (SP), has adopted REFEDS MFA Profile so that we can provision and manage efficient and secure access for people accessing NIH resources. eduGAIN members and research and education identity federations are expected to honor the REFEDS authentication request, perform the MFA, and signal back REFEDS MFA profile. This assures NIH of strong authentication, or provides a greater level of confidence that you are who you say you are.
NIH, a Service Provider (SP), has adopted REFEDS MFA Profile so that we can provision and manage efficient and secure access for people accessing NIH resources. eduGAIN members and research and education identity federations are expected to honor the REFEDS authentication request, perform the MFA, and signal back REFEDS MFA profile. This assures NIH of strong authentication, or provides a greater level of confidence that you are who you say you are.
Identity Verification is a security measure that requires you to provide additional proof about who you are, such as a Driver’s license, passport, or other government-issued ID document.
eduGAIN members and research and education identity federations are expected to follow REFEDS assurance framework. This framework specifies that after proofing the person’s identity, IdPs need to store the Identity Assurance Profile (IAP) value at which they were proofed at (/IAP/low,/IAP/medium,/IAP/high) and send these values as part of SAML attributes to NIH Service Provider (SP).
eduGAIN members and research and education identity federations are expected to follow REFEDS assurance framework. This framework specifies that after proofing the person’s identity, IdPs need to store the Identity Assurance Profile (IAP) value at which they were proofed at (/IAP/low,/IAP/medium,/IAP/high) and send these values as part of SAML attributes to NIH Service Provider (SP).
Identity Assurance Profiles, as described in the InCommon Identity Assurance Assessment Framework, define the specific requirements that Identity Provider Operators must meet in order to be eligible to include InCommon Identity Assurance Qualifier(s) in identity Assertions that they offer to Service Providers.
Types of REFEDS assurance profiles used by NIH:
Cappuccino: Low-risk research use cases
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
Espresso: Use cases requiring verified identity
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
• https://refeds.org/assurance/IAP/high
Types of REFEDS assurance profiles used by NIH:
Cappuccino: Low-risk research use cases
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
Espresso: Use cases requiring verified identity
• https://refeds.org/assurance/IAP/low
• https://refeds.org/assurance/IAP/medium
• https://refeds.org/assurance/IAP/high
Please visit https://www.incommon.org/help/ for more information
NIH SP entity ID’s listed in the metadata (both InCommon and eduGAIN) are as follows:
DEV = https://federationdev.nih.gov/FederationGateway
STAGE = https://federationstage.nih.gov/FederationGateway
PROD = https://federation.nih.gov/FederationGateway
View additional info about NIH SP metadata at:
DEV = Metadata Explorer Tool (refeds.org)
STAGE = Metadata Explorer Tool (refeds.org)
PROD = Metadata Explorer Tool (refeds.org)
Please modify your IdP’s attribute release policy as follows:
<AttributeFilterPolicy id="national_institutes_of_health_PROD">
<PolicyRequirementRule xsi:type="Requester" value="https://federation.nih.gov/FederationGateway" />
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true"/>
<AttributeRule attributeID="eduPersonAssurance" permitAny="true"/>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="national_institutes_of_health_STAGE">
<PolicyRequirementRule xsi:type="Requester" value="https://federationstage.nih.gov/FederationGateway" />
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true"/>
<AttributeRule attributeID="eduPersonAssurance" permitAny="true"/>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="national_institutes_of_health_DEV">
<PolicyRequirementRule xsi:type="Requester" value="https://federationdev.nih.gov/FederationGateway" />
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true"/>
<AttributeRule attributeID="eduPersonAssurance" permitAny="true"/>
</AttributeFilterPolicy>
DEV = https://federationdev.nih.gov/FederationGateway
STAGE = https://federationstage.nih.gov/FederationGateway
PROD = https://federation.nih.gov/FederationGateway
View additional info about NIH SP metadata at:
DEV = Metadata Explorer Tool (refeds.org)
STAGE = Metadata Explorer Tool (refeds.org)
PROD = Metadata Explorer Tool (refeds.org)
Please modify your IdP’s attribute release policy as follows: