Integration Services Center (ISC) – User Attributes for NIH Applications
29 September 2018—Page1
User Attributes for NIH Applications
Version # / Change Description / Owner / Date1.0 / Initial Version / Chris Leggett / 10/7/2009
Purpose
The purpose of this document is to provide an overview of user attributes for NIH applications such as NIH Login and NIH Federated Identity Service.
Description
Many NIH applications utilize user attributes for authentication and authorization purposes. This document includes information on authentication user directories, authorization user directories, core user attributes, NIH Active Directory attributes, NIH External Active Directory attributes, eRA Commons OID, federation attributes, IMPACII, and special attributes. It also includes information on how level of assurance (LOA) is determined.
Authentication User Directories
Authentication is validated against the following directories:
- NIH AD
- NIH External AD
- eRA Commons OID
- Federation Store
Authorization User Directories
Authorization is validated against the following directories:
- IMPACII
- LDAP_ALL
Core User Attributes
There are 15 core user attributes. Five of these core attributes (SM_USER, USER_EMAIL, USER_AUTH_LOA, USERAUTHN_SOURCE, and USER_AUTHZ_SOURCE, bolded in the listing below) must be populated. Examples are included after each definition:
- SM_USER = the user's authentication login ID for NIH Login
SM_USER = smithjd
- USER_UPN = the user's user principal name: *unique to NIH Login system*
USER_UPN =
- USER_DN = user's distinguished name
USER_DN = cn = smithjd, ou = cit, ou = nih, dc = nih, dc = gov
- USER_UID = UID value for the username
USER_UID = smithjd
- USER_FIRSTNAME = user's firstname
USER_FIRSTNAME = jane
- USER_LASTNAME = user's lastname
USER_LASTNAME = smith
- USER_MIDDLENAME = user's middle name
USER_MIDDLENAME = dawn
- USER_EMAIL = user's email address
USER_EMAIL =
- USER_ADDRESS = user's address
USER_ADDRESS = 123 NIH Boulevard Suite 500 Bethesda MD 20817
- USER_ORG = users parent organization
USER_ORG = NCI
- USER_TELEPHONE = user's telephone number
USER_TELEPHONE = 3018721000
- USER_GROUPS = user's groups
USER_GROUPS = NCI, FDA
- USER_AUTHN_LOA = authentication loa
USER_AUTHN_LOA =230
- USER_AUTHN_SOURCE = authentication source user authenticated against
USER_AUTHN_SOURCE = NIH-External
- USER_AUTHZ_SOURCE = authorization source the user is mapped against
- USER_AUTHZ_SOURCE = LDAP_ALL
NIH Active Directory Attributes
There are 3 NIH Active Directory attributes. NIH_CN and NIH_SAMACCOUNTNAME attributes may have the same or different values. Examples are included after each definition:
- NIH_CN = Common Name value found in the NIH AD
NIH_CN = smithjd
- NIH_SAMACCOUNTNAME = user's samaccount value that is found in the NIH AD
NIH_SAMACCOUNTNAME = smithjd
- NIH_DEPARTMENT = user's department value that is found in the NIH AD
NIH_DEPARTMENT = NCI
- NIH_EMPLOYEEID = the NIH employee ID found in the NIH AD (NED ID)
NIH_EMPLOYEEID = 00123456
NIH External Active Directory Attributes
There are 2 NIH External Active Directory attributes. NIH_EXT_CN and NIH_EXT_SAMACCOUNTNAME attributes may have the same or different values. Examples are included after each definition:
- NIH_EXT_CN = Common Name value found in the NIH External AD
NIH_EXT_CN = smithjd
- NIH_EXT_SAMACCOUNTNAME = user's samaccount value that is found in the NIH External AD
NIH_EXT_SAMACCOUNTNAME = smithjd
eRA Commons OID Attribute
There is one eRA Commons attribute. An example is included after the definition:
- COMMONS_SM_CUSTOM_UPN = a custom attribute created by Siteminder
COMMONS_SM_CUSTOM_UPN =
Federation Attribute
There is one federation attribute. An example is included after the definition:
- FED_PERSIST_ID = the user's private persistent ID. It can be any combination of numbers, letters, and symbols, with a 256-character limit. It is a value that is unique between the identity provider and the service provider(NIH). It is set to enable user privacy by preventing the correlation of activities between service providers.
FED_PERSIST_ID = M257J8&HOME%VALUE%00780098125300659
IMAPCII Attributes
There is one IMPACII attribute. An example is included after the definition:
- IMPACII_USERID = the user's IMPACII userID
IMPACII_USERID = smithjd
NIH Login Specific Attributes
There are several HTTP headers that are sent to the application that should be used by NIH Login internally. These attributes have the “HTTP_SM” prefix. However, there is one attribute, SM_USER,that the application can utilize. This attribute is populated by the log-in value the user used during successful authentication against a particular user directory.
User directory / User directory authentication attributeNIH Active Directory / samaccountname
NIH External Active Directory / samaccountname
eRA Commons OID / UID
Federation / UPN
Determining Level of Assurance
The authentication level of assurance (LOA) is determined by evaluating the USER_AUTHN_LOA header value. Since NIH Login is able to authenticate users with different credential types (such as user name/password, client certificates, smartcard certifications, federation assertions, etc.), the system uses a ranged approach to the NIST 800-63 level of assurance values (1-4).This allows the application to know what authentication mechanism was used during authentication and allow only specific authentication credentials to access a resource. For example, an application could be setup to only allow level 4 NIH issued PIV card certificates (USER_AUTHN_LOA = 460) and not allow FDA PIV card certificates (USER_AUTHN_LOA=440).
800-63 LOA / NIH Login LOA Range1 / 100-199
2 / 200-299
3 / 300-399
4 / 400-499
Contact Information
For additional information on this web service, .