Jump to:

Call to Action

The National Institute of Health (NIH) is introducing a new Login Service gateway to streamline external user access to NIH online resources.

To ensure there is appropriate authentication and identity proofing to meet US agency requirements, and to facilitate user access provisioning, NIH is calling federated identity providers (e.g., identity provider, or IdP, published in the InCommon Federation) to support 3 interoperability and assurance framework defined by the research and education community:

Streamlined user attribute release by supporting REFEDS Research & Scholarship (R&S) entity category.
Implement strong authentication: perform multi-factor authentication (MFA) and signal MFA using REFEDS MFA Profile.
Communicate identity proofing and assurance using the REFEDS Assurance Framework.

By September 15, 2021, NIH asks that you:

Adopt the REFEDS Research and Scholarship Entity Category (R&S) - Signal a standard set of basic, non-sensitive information (persistent unique identifier, name, email + affiliation)
Adopt the REFEDS MFA profile (https://refeds.org/profile/mfa) - Signal your assurance of strong authentication (MFA)
Adopt the REFEDS Assurance Framework v1- Signal your assurance of the person’s identity (at min. “Local Enterprise”)

When Does All This Happen?

Full implementations all three elements will take time. Identity Provider operators in the InCommon Federation should begin planning and implementation as soon as possible, noting the following coming milestone dates:

Date	Event/Milestone / Impact
September 15, 2021	Milestone: NIH’s electronic Research Administration (eRA) application begin to require all of its users to sign in with MFA IdP Requirements: MUST perform MFA for users who need to sign into eRA MUST support SAML Authentication Context signaling defined in the REFEDS MFA Profile MUST support REFEDS R&S entity category SHOULD begin to support eduPersonAssurance - assert at least local-enterprise for qualified individuals. Impact: User who cannot MFA with their campus credential will be directed to create an account at login.gov Related Activities The REFEDS Assurance Working Group→ is convening a MFA sub-group to develop implementation guidance for using the REFEDS MFA Profile. NIH has developed an eRA Security Compliance Check Tool → to help IdP operators test their implementation against eRA requirements.
May 2021	Milestone: NIH Login Service begins signaling MFA request using REFEDS MFA Profile and make access decision based on a user's identity assurance profile (IAP / eduPersonAssurance) and the user requested resource's access requirements IdP Requirements: SHOULD support SAML Authentication Context signaling defined in the REFEDS MFA Profile (i.e., understand how to handle a MFA request signaled using REFEDS MFA profile even if you do not perform MFA) SHOULD support REFEDS R&S entity category SHOULD be ready to support identity assurance assertion using eduPersonAssurance Impact User may encounter authentication error if the IdP does not support MFA signaling using the REFEDS MFA Profile. User may not be able to access some resources if the IdP does not release user attributes defined in the REFEDS entity category and/or does not release applicable eduPersonAssurance values for the user. Related Activities The Assured Access Working Group, a joint InCommon/NIH effort, is mapping common campus identity proofing procedures to REFEDS Assurance Framework (eduPersonAssurance) values. It is also developing mapping between eduPersonAssurance and NIST identity assurance levels. Further, the working group is producing campus adoption guidance to help campus implement eduPersonAssurance.
Summer 2021	Milestone: PubMed to transition to use only federated credentials for user sign-in IdP Requirements MUST support REFEDS R&S entity category Impact: Campuses with users accessing PubMed (likely all InCommon IdP campuses) need to be ready to support federated sign-in to PubMed
TBD	Additional NIH services to come online through out 2021 and beyond. Watch this page for updates.

What Do I Need to Do?

When

What

Why

Now - September 2021

If you have eRA users:

implement MFA; support signaling using REFEDS MFA Profile
support REFEDS R&S

eRA requires users to sign in with MFA effective September 2021. NIH Login Service, used by eRA to process federated SSO, requires MFA signaling using REFEDS MFA Profile. eRA also requires user attributes defined in R&S.

Now - Summer 2021

If you have users accessing any NIH resource:

Assess your current support for the 3 REFEDS Profiles; identify gaps and needs
Develop plans to implement MFA/REFEDS MFA Profile; support R&S, and identity assurance assertion using eduPersonAssurance
Follow the work of REFEDS Assurance Working Group and Assured Access Working group for emerging implementation guidance
Follow this page for late breaking updates

Get ready. Although not all resources will require all three elements (MFA, R&S, identity assurance), as NIH resources begin consolidating access via the new NIH Login Service, they will expect federated IdPs to support these profiles.

More About the NIH Resources

Electronic Research Administration Portal (eRA)

Effective September 15, 2021, eRA(https://era.nih.gov) will require all of its users to sign in with MFA. eRA will accept qualified federated credentials. To qualify, the IdP needs to authenticate the user using MFA and signals the outcome using REFEDS MFA Profile. In addition, eRA will require the IdP to release user attributes defined in the REFEDS R&S category.

About eRA and InCommon

eRA is NIH’s research administration portal. Principal Investigators and grant administrators from universities and research organizations use eRA to apply for and manage NIH-funded grants. eRA has about 40,000 users and over 204,000 grants in its database. Over 130,000 of the grants are issued to InCommon participants.

Impact

Users who cannot sign in using a qualified credential from their home institution will be directed to create and use a login.gov credential to sign into eRA.

National Center for Biotechnology Information (NCBI; PubMed)

Effective June 2021, NCBI, including PubMed, will transition use only federated credentials for user access ( https://ncbiinsights.ncbi.nlm.nih.gov/2021/01/05/important-changes-ncbi-accounts-2021/).

PubMed requires a federated IdP to release attributes defined in R&S. It does not require MFA or eduPersonAssurance.

About PubMed and InCommon

PubMed is one of the world’s largest online biomedical research databases. It has millions of users around the world. It is likely that all universities have some students or faculty accessing PubMed today.

Researcher Auth Service (RAS)

RAS (https://datascience.nih.gov/researcher-auth-service-initiative), a component of the NIH Login Service launching in 2021, facilitates consistent and user-friendly access to NIH’s open and controlled data assets and repositories.

This article is undergoing community review.

Tell us how we can improve this article

Follow the Updates

We will post updates to implementation announcements on this page as they become available. Follow this page by clicking the "Watch" link above to receive the latest updates.

Event Calendar

April 14, 2021 - IAM Online: National Institutes of Health (NIH) New MFA and Identity Requirements

April IAM Online - Wednesday, April 14, 2021
2 pm ET | 1 pm CT | Noon MT | 11 am PT

Slide sharing and audio via Zoom. Use this link at the day/time of the webinar:
https://www2.internet2.edu/l/66332/2021-01-19/cjrprc.

April 1, 2021 - NIH Office Hour

Join representatives from InCommon and the National Institutes of Health to discuss the coming changes to the NIH electronic Research Administration (eRA) modules.

Thursday, April 1
4 pm ET | 3 pm CT | 2 pm MT | 1 pm PT
(Zoom link: https://internet2.zoom.us/j/96615320068).

Page tree

get-nih-ready