Winter 2009 [Number 245] Printable version (309KB PDF) Download Adobe Reader Please note that this issue of Interface is an archived issue. Therefore, the information contained in each article may no longer be current.
For over a year now, NIH has been employing Federated Identity Management to provide staff with the means to collaborate with colleagues from outside NIH, including those from universities, other Department of Health and Human Services (HHS) Operating Divisions, and other federal agencies. For this purpose, CIT created the NIH Federated Identity Service.
NIH Federated Identity Service (the basics)
The NIH Federated Identity Service allows authorized individuals to access multiple applications and data sources across agencies using a single login and password. The service was featured in issue #243 of Interface, which explained how Federated Identity Management works, the role of the NIH Federated Identity Service in providing authorized users with access to resources, the benefits for individuals and agencies of using the service, and how security issues are addressed. The bottom line is that users save time and have easier access to resources, NIH reduces IT expenses because there are fewer outside accounts and help desk calls, and security is improved since the likelihood of logins and passwords being compromised due to “password overload” is lessened.
Until now, this service has been available only to researchers and other users at partner agencies and higher education institutions through the InCommon Federation, an education/industry/government consortium. If your agency or university did not have a Federated Identity Management agreement through InCommon, or if you were a private citizen without institutional affiliation, you were out of luck, and could only access NIH resources the old-fashioned way—a separate login and password for each application or resource.
This is changing in a big way. On September 9, 2009, ten industry leaders—Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo, and Wave Systems—announced that they will support the first government Open Identification pilot program. These companies, using OpenID and Information Card technologies, will act as digital identity providers. The federal-wide Open Identity for Open Government Initiative seeks to work towards making it easy for individuals to register and participate in government websites without having to continually create new usernames and passwords—a goal set in President Obama’s January 2009 Transparency and Open Government memorandum.
Dr. Jack Jones, NIH CIO and acting director, CIT, announced: “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among agencies and institutions. Within a few weeks, OpenID and Information Card credentials will join those currently in use from InCommon as external credentials trusted by NIH."
The Open Identity for Open Government Initiative
The intent of the initiative is to transform government websites into more accessible and interactive resources, saving individuals time and increasing their direct involvement in governmental decision-making. NIH is the first federal agency to participate in the Open Identity for Open Government Initiative pilot program. The ten participating companies are being certified under non-discriminatory open-trust frameworks developed under collaboration between the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) and reviewed by the federal government.
OpenID and Information Card technologies make such access simple and safe. For example, in the coming months NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections. "This is a significant leap in participatory democracy," said Don Thibeau, executive director of the OpenID Foundation (OIDF). "Following President Obama's directive, our government has worked with market leading companies to leverage modern, open standards to engage with its citizens. When the government adopts open identity standards and trust frameworks, the result is better service, more transparency, and greater accountability."
OpenID and Information Cards
OpenID is a web registration and single sign-on protocol that lets users register and login to OpenID-enabled websites using their own choice of OpenID identifier. With OpenID, individuals can use the services of a third-party OpenID provider (such as AOL, Google, or Yahoo), where they may already have an account. One key advantage of OpenID is that it requires no client-side software—it works with any standard Internet browser.
An Information Card—often described as a “virtual wallet”—is a new approach to Internet-scale digital identity in which all of a user’s identities, whether self-created or from third party identity providers (such as an employer, financial institution, school, or government agency), are uniformly represented as visual “cards” in a software application called a card selector. There are three types of cards: personal (self asserted), managed (issued by a 3rd party) and mixed (3rd party with additional self-asserted information).
Both standards can provide different Levels of Assurance (LOAs) in regard to verifying the identity of the user. For some activities, such as saving library catalog searches, these credentials will enable the user to remain completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. The Open Identity for Open Government Initiative will enable individuals to choose the identity technology, identity provider, and security credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to increased innovation and lower costs for both government and citizens.
Open trust frameworks also allow different levels of trust based upon what the organization decides is needed by particular individuals. No matter which standard is utilized, authenticated users have access only to those resources for which they have been authorized. "Open government cannot and will not compromise either security or privacy," said Drummond Reed, executive director of the Information Card Foundation (ICF). "By working with private industry, the U.S. government is harnessing the innovation and efficiencies of the open market and letting citizens choose their preferred means of engaging with government agencies."
Benefits for the average user
What will these developments do for the average user—the researcher at the National Cancer Institute, the Food and Drug Administration (FDA) grant reviewer, the graduate student at Ohio State studying dementia, or the private citizen doing a search on PubMed for a disease they are being treated for?
First, OpenID and Information card technology will allow all of these users access to NIH and related resources, even if their institution or agency does not have an agreement with the NIH Federated Identity Service, or if they are unaffiliated with any government agency or higher education institution. Likewise, NIH staff will be able to gain access to resources provided by organizations that are not affiliated with the service, as long as the resource they seek access to accepts OpenID or Information Card.
Second, these technologies will help safeguard user privacy and the security of the applications they use. For the user, this means that sensitive personal information (such as one’s email address or login password) will not have to travel back and forth over the Internet for each login transaction. Using OpenID and Information Card protocols, authentication needs to be verified only once. Because users will need to remember only one login and password for numerous applications and resources they use, they will be less tempted to write down such sensitive information near their computer, potentially compromising access to confidential data.
Third, the plan is to expand the Open Identity initiative to agencies beyond NIH. The FDA is already taking part in the Federated Identity Service and will take part in the Open Identity initiative. GSA has signed on, and the Library of Congress has expressed a strong interest in joining.
NIH/CIT first got involved in working on federated identity in 2006 with the creation of a Federated Authentication Initiative. Cross-team discussions and R&D culminated in the NIH Login to support federated identity in 2007 and the full implementation of the Federated Identity Service (NIH Federated Login) in 2008. This pioneering work in the field of identity management was recognized with the NIH Director’s Award in 2008 for the Federated Authentication Initiative, which was led by Debbie Bucci, Valerie Wampler, Jane Small, Jim Seach, Tom Mason, and Peter Alterman.
The Government Information Technology Executive Council (GITEC) has awarded the GITEC 2009 Project Management Excellence Award to the NIH Federated Identity Service Team. Valerie Wampler accepted the award for Jack Jones, Debbie Bucci, and NIH/CIT at GITEC’s annual Information Processing Interagency Conference in March 2009. The award recognized the contributions made in the field of federated identity by the NIH Federated identity Service.
The NIH Federated Authentication service was selected as one of the top 10 Government Innovators by InformationWeek 500.
Current status and future action
The Federal Identity Credential and Access Management subcommittee (FICAMSC) of the Chief Information Officers’ Council has developed a Trust Framework Adoption Process for Levels of Assurance (LOA) 1, 2, and 3 and a Scheme Adoption process to access credential providers. OpenID has established a scheme that currently qualifies at LOA1—the least stringent level of security, commonly used for blogs and other low-risk resources. NIH is currently testing OpenID with Google, Yahoo, VeriSign, and PayPal. Information Card has established a scheme that qualifies for LOA1, LOA2, and LOA3; PayPal and Equifax are proceeding with the adoption process to qualify at LOA2 and LOA3.
The OpenID Foundation (OIDF) and the Information Card Foundation (ICF) have adopted a common framework to certify identity providers. Under the OIDF and ICF's open-trust framework, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider. These organizations can then supply authentication credentials on behalf of their users.
Initially, the NIH SSO service will accept Open ID credentials as part of an “Open for Testing” phase. At that time, InCommon will begin to use OpenID and Information Card credentials. The NIH National Center for Biotechnology Information (NCBI) will implement OpenID for myncbi accounts, which support PubMed, and their SharePoint site for LOA1 resources. NIH Login will add Information Cards, as soon as upgrades are possible, for PayPal and Equifax. FISCAM is expected to endorse more stringent one-time password (OTP) technology from both the banking and wireless industries to support LOA3 applications.
End game at NIH and beyond
The end goal of the Open Identity for Open Government Initiative at NIH/CIT is to give users of NIH websites and other electronic resources the ability to have a single account and login procedure that will allow access to all NIH applications, as well as other government and private sector applications. This will make it easier for users to access information resources, remove the responsibility for security authentication from website and application owners, and improve security.
You can find more information about Federated Identity Management at the NIH Federated Identity page (http://federatedidentity.nih.gov). For more information on NIH work with OpenID and Information Card protocols, please contact the NIH Help Desk at http://ithelpdesk.nih.gov or by phone at 301-496-4357, 301-496-8294 (TTY) or toll free at 866-319-4357 (toll free).
You can also find more about OpenId and Information Card at the following websites:
Open Identity Solutions for Open Government
OpenID/Information Card white paper “Open Trust Frameworks for Open Government”
OpenID Federation website
Information Card Federation website
Note: All direct quotes in this article are taken from the NIH/CIT Press release “YAHOO!, PAYPAL, GOOGLE, EQUIFAX, AOL, VERISIGN, ACXIOM, CITI, PRIVO, WAVE SYSTEMS PILOT OPEN IDENTITY FOR OPEN GOVERNMENT” (available here: http://cit.nih.gov/NR/rdonlyres/DF7C7DA9-3303-438F-BD3C-21D3859BB843/0/OpenIdentityInitiativeFINALRelease9909.doc).
Note: To view the Word document linked above if you do not have Word installed, you can download Microsoft's Word Viewer.
|Published by Center for Information Technology, National Institutes of Health|
NIH...Turning Discovery into Health