InCommon/NIH Community Update: MFA and Identity Requirements Webinar

On April 20, 2023, InCommon and NIH hosted a briefing on the InCommon Community’s readiness to support NIH. 

How are we doing? What is coming up next? This webinar provides an update on our progress thus far and what’s next as NIH considers issuing its first identity assurance requirement.

• View webinar recording
• Download the slides

Frequently Asked Questions

A Roadmap to Be NIH Ready

To enable its mission, the National Institutes

Call to Action

The National Institute of Health (NIH) is introducing a new expanding its NIH Login Service gateway to streamline external user to facilitate secure access to NIH online resources.

To ensure there is appropriate authentication and identity proofing to meet US agency requirements, and to facilitate user access provisioning, NIH is calling federated identity providers (e.g., identity provider, or IdP, published in the InCommon Federation) to support 3 interoperability and assurance framework defined by the research and education community: 

IT resources by biomedical researchers, faculty, and scientists around the globe. Resources protected by the NIH Login Service include controlled-access research data and grants administration systems.  

InCommon participants whose users access NIH resources via federated access need to update their identity providers meet three requirements:  

• Release Basic User Information about the people accessing NIH resources so that we can provision and manage efficient and secure access.

• Perform Multi-factor Authentication (MFA) to minimize risk to NIH IT resources.

• Provide Identity Assurance that each person who logs in is who they say they are so that NIH can provide appropriate authorization to access NIH data. 

What does this mean?

NIH is asking InCommon (and international R&E federation) Participants to update their federated single sign-on service to support three research and education federated access standards.

By September 15, 2021, NIH asks that you:

1. Adopt the REFEDS Research and Scholarship Entity Category (R&S) - Signal a standard set of basic, non-sensitive information (persistent unique identifier, name, email + affiliation)
2. Adopt the REFEDS MFA profile (https://refeds.org/profile/mfa) -  Signal your assurance of strong authentication (MFA)
3. Adopt the REFEDS Assurance Framework v1- Signal your assurance of the person’s identity (at min. “Local Enterprise”)

When Does All This Happen?

Full implementations all three elements will take time. Identity Provider operators in the InCommon Federation should begin planning and implementation as soon as possible, noting the following coming milestone dates:

• Milestone: NIH’s electronic Research Administration (eRA) application begin to require all of its users to sign in with MFA
• IdP Requirements:
  • MUST perform MFA for users who need to sign into eRA
  • MUST support SAML Authentication Context signaling defined in the REFEDS MFA Profile 
  • MUST support REFEDS R&S entity category 
  • SHOULD begin to support eduPersonAssurance - assert at least local-enterprise for qualified individuals. 
• Impact: User who cannot MFA with their campus credential will be directed to create an account at login.gov
  
• Related Activities
  • The REFEDS Assurance Working Group→ is convening a MFA sub-group to develop implementation guidance for using the REFEDS MFA Profile.  
  • NIH has developed an
  • eRA Security Compliance Check Tool → to help IdP operators test their implementation against eRA requirements.

• Milestone: NIH Login Service begins signaling MFA request using REFEDS MFA Profile and make access decision based on a user's identity assurance profile (IAP / eduPersonAssurance) and the user requested resource's access requirements
• IdP Requirements:
  • SHOULD support SAML Authentication Context signaling defined in the REFEDS MFA Profile (i.e., understand how to handle a MFA request signaled using REFEDS MFA profile even if you do not perform MFA)
  • SHOULD support REFEDS R&S entity category 
  • SHOULD be ready to support identity assurance assertion using eduPersonAssurance
• Impact
  • User may encounter authentication error if the IdP does not support MFA signaling using the REFEDS MFA Profile.
  • User may not be able to access some resources if the IdP does not release user attributes defined in the REFEDS entity category and/or does not release applicable eduPersonAssurance values for the user.
• Related Activities
  • The Assured Access Working Group, a joint InCommon/NIH effort, is mapping common campus identity proofing procedures to REFEDS Assurance Framework (eduPersonAssurance) values. It is also developing mapping between eduPersonAssurance and NIST identity assurance levels. Further, the working group is producing campus adoption guidance to help campus implement eduPersonAssurance. 

• Milestone: PubMed to transition to use only federated credentials for user sign-in
• IdP Requirements
  
  • MUST support REFEDS R&S entity category 
• Impact: Campuses with users accessing PubMed (likely all InCommon IdP campuses) need to be ready to support federated sign-in to PubMed

What Do I Need to Do?

If you have eRA users:

• implement MFA; support signaling using REFEDS MFA Profile
• support REFEDS R&S

Getting Started, Step-by-Step

We understand this can be a complicated undertaking. You do not have to do everything at once. We've prepared a Step-by-Step Guide to help everyone along this journey. NIH also provides a Compliance Check Tool to help you to determine your campus' identity provider progress toward meeting these requirements.

Community Activities

Several InCommon and international working groups are working to develop additional materials to clarify additional implementation details. 

The Assured Access Working Group, chartered by the InCommon Trust and Assurance Board (CTAB), has developed the REFEDS Assurance Framework Implementation Guidance for InCommon Participants document to provide campus-level implementation guidance on implementing the REFEDS Assurance Framework by leveraging common campus identity proofing processes. 

The REFEDS MFA Subgroup, a taskforce chartered by the REFEDS Assurance Working Group→, is answering detailed questions around MFA transaction handling. 

Consulting Assistance

Partners participating in the InCommon Catalyst Program→ are skilled and ready to help you design and implement solutions to meet these NIH requirements. If you need help, these Catalysts are great resources:

• Cirrus Identity→
  

• Research Data and Communication Technologies (RDCT)→ 

• Spherical Cow Group→

• Unicon→

Resources

• Cirrus Helps Institutions Meet NIH Requirements with the Bridge Federation Adapter→

• Educause Review: Cloud-First Approach for NIH and Academic Research Access →

Highlights of select NIH Services

Electronic Research Administration Portal (eRA)

Access Requirements

Release Necessary User Information - Release the user information defined in the REFEDS Research & Scholarship (R&S) entity category.

Multi-factor Authentication - Accept multi-factor authentication requests and signal outcome using the REFEDS MFA Profile.

If you have users accessing any NIH resource:

• Assess your current support for the 3 REFEDS Profiles; identify gaps and needs
• Develop plans to implement MFA/REFEDS MFA Profile; support R&S, and identity assurance assertion using eduPersonAssurance
• Follow the work of REFEDS Assurance Working Group and Assured Access Working group for emerging implementation guidance
• Follow this page for late breaking updates

More About the NIH Resources

Effective September 15, 2021, eRA (https://era.nih.gov) will require all of its users to sign in with MFA. eRA will accept qualified federated credentials. To qualify, the IdP needs to authenticate the user using MFA and signals the outcome using REFEDS MFA Profile. In addition, eRA will require the IdP to release user attributes defined in the REFEDS R&S category.

About eRA

eRA is NIH’s research administration portal. Principal Investigators and grant administrators from universities and research organizations use eRA to apply for and manage NIH-funded grants. eRA has about 40,000 users and over 204,000 grants in its database. Over 130,000 of the grants are issued to InCommon participants. 

Impact

If your institution receives NIH funding, your research administrators and principal investigators likely have access to eRA. 

Users who cannot sign in using a qualified credential from their home institution will be directed by eRA to create and use a login.gov credential to sign into eRA.

IdP Operator: sign into the eRA Security Compliance Check Tool→ to determine if your IdP meets eRA requirements.

National Center for Biotechnology Information (NCBI; PubMed)

Access Requirements

Release Necessary User Information - Release the user information defined in the REFEDS Research & Scholarship (R&S) entity category.

The National Center for Biotechnology Information (NCBI) operates PubMed, MyNCBI, SciENcv, MyBibliography, and a number of NCBI-managed data services. It is transitioning to Effective June 2021, NCBI, including PubMed, will transition use only federated credentials for user access ( https://ncbiinsights.ncbi.nlm.nih.gov/2021/01/05/important-changes-ncbi-accounts-2021/). 

PubMed NCBI requires a federated IdP to release attributes defined in R&S. It does not require MFA or eduPersonAssuranceidentity assurance information. 

About NCBI and PubMed

The National Center for Biotechnology Information (NCBI) is a division of the National Library of Medicine (NLM) at the National Institutes of Health (NIH). As a national resource for molecular biology information, NCBI's mission is to develop new information technologies to aid in the understanding of fundamental molecular and genetic processes that control health and disease. 

PubMed is one of the world’s largest online biomedical research databases. It has millions of users around the world. It is likely that all universities have some students or faculty accessing PubMed today. 

NIH Login Service

About NIH Login Service

The NIH Login Service is an NIH Identity and Access Management service offered by CIT to provide centralized authentication and Single Sign On (SSO) capability for web-based applications. The NIH Login is a "one-stop shop" which allows logins from all of NIH staff, eRA Commons, HHS employees, and various Federated partners. 

Researcher

Authorization Service (RAS)

Access Requirements

Release Necessary User Information - Release the user information defined in the REFEDS Research & Scholarship (R&S) entity category.

Multi-factor Authentication - Accept multi-factor authentication requests and signal outcome using the REFEDS MFA Profile.

Share Identity Assurance Information - Signal user identity assurance information using the REFEDS Assurance Framework.

About RAS

RAS (https://datascience.nih.gov/researcher-auth-service-initiative) , a component of the NIH Login Service launching in 2021, facilitates consistent and user-friendly access to NIH’s open and controlled data assets and repositories in a consistent and user-friendly manner. Overtime, RAS will become the access gateway to many of the NIH data services. Among them:

dbGaP - dbGaP→ is the database of Genotypes and Phenotypes (dbGaP) was developed to archive and distribute the data and results from studies that have investigated the interaction of genotype and phenotype in Humans.

All of Us - The All of Us Research Program→ is inviting one million people across the U.S. to help build one of the most diverse health databases in history. We welcome participants from all backgrounds. Researchers will use the data to learn how our biology, lifestyle, and environment affect health. This may one day help them find ways to treat and prevent disease.

NIMH Data Archive - The National Institute of Mental Health Data Archive (NDA)→ makes available human subjects data collected from hundreds of research projects across many scientific domains. NDA provides infrastructure for sharing research data, tools, methods, and analyses enabling collaborative science and discovery. De-identified human subjects data, harmonized to a common standard, are available to qualified researchers.  Summary data are available to all.