Integration Services Center (ISC) – User Attributes for NIH Applications

29 September 2018—Page1

User Attributes for NIH Applications

Version # / Change Description / Owner / Date
1.0 / Initial Version / Chris Leggett / 10/7/2009

Purpose

The purpose of this document is to provide an overview of user attributes for NIH applications such as NIH Login and NIH Federated Identity Service.

Description

Many NIH applications utilize user attributes for authentication and authorization purposes. This document includes information on authentication user directories, authorization user directories, core user attributes, NIH Active Directory attributes, NIH External Active Directory attributes, eRA Commons OID, federation attributes, IMPACII, and special attributes. It also includes information on how level of assurance (LOA) is determined.

Authentication User Directories

Authentication is validated against the following directories:

  • NIH AD
  • NIH External AD
  • eRA Commons OID
  • Federation Store

Authorization User Directories

Authorization is validated against the following directories:

  • IMPACII
  • LDAP_ALL

Core User Attributes

There are 15 core user attributes. Five of these core attributes (SM_USER, USER_EMAIL, USER_AUTH_LOA, USERAUTHN_SOURCE, and USER_AUTHZ_SOURCE, bolded in the listing below) must be populated. Examples are included after each definition:

  • SM_USER = the user's authentication login ID for NIH Login

SM_USER = smithjd

  • USER_UPN = the user's user principal name: *unique to NIH Login system*

USER_UPN =

  • USER_DN = user's distinguished name

USER_DN = cn = smithjd, ou = cit, ou = nih, dc = nih, dc = gov

  • USER_UID = UID value for the username

USER_UID = smithjd

  • USER_FIRSTNAME = user's firstname

USER_FIRSTNAME = jane

  • USER_LASTNAME = user's lastname

USER_LASTNAME = smith

  • USER_MIDDLENAME = user's middle name

USER_MIDDLENAME = dawn

  • USER_EMAIL = user's email address

USER_EMAIL =

  • USER_ADDRESS = user's address

USER_ADDRESS = 123 NIH Boulevard Suite 500 Bethesda MD 20817

  • USER_ORG = users parent organization

USER_ORG = NCI

  • USER_TELEPHONE = user's telephone number

USER_TELEPHONE = 3018721000

  • USER_GROUPS = user's groups

USER_GROUPS = NCI, FDA

  • USER_AUTHN_LOA = authentication loa

USER_AUTHN_LOA =230

  • USER_AUTHN_SOURCE = authentication source user authenticated against

USER_AUTHN_SOURCE = NIH-External

  • USER_AUTHZ_SOURCE = authorization source the user is mapped against
  • USER_AUTHZ_SOURCE = LDAP_ALL

NIH Active Directory Attributes

There are 3 NIH Active Directory attributes. NIH_CN and NIH_SAMACCOUNTNAME attributes may have the same or different values. Examples are included after each definition:

  • NIH_CN = Common Name value found in the NIH AD

NIH_CN = smithjd

  • NIH_SAMACCOUNTNAME = user's samaccount value that is found in the NIH AD

NIH_SAMACCOUNTNAME = smithjd

  • NIH_DEPARTMENT = user's department value that is found in the NIH AD

NIH_DEPARTMENT = NCI

  • NIH_EMPLOYEEID = the NIH employee ID found in the NIH AD (NED ID)

NIH_EMPLOYEEID = 00123456

NIH External Active Directory Attributes

There are 2 NIH External Active Directory attributes. NIH_EXT_CN and NIH_EXT_SAMACCOUNTNAME attributes may have the same or different values. Examples are included after each definition:

  • NIH_EXT_CN = Common Name value found in the NIH External AD

NIH_EXT_CN = smithjd

  • NIH_EXT_SAMACCOUNTNAME = user's samaccount value that is found in the NIH External AD

NIH_EXT_SAMACCOUNTNAME = smithjd

eRA Commons OID Attribute

There is one eRA Commons attribute. An example is included after the definition:

  • COMMONS_SM_CUSTOM_UPN = a custom attribute created by Siteminder

COMMONS_SM_CUSTOM_UPN =

Federation Attribute

There is one federation attribute. An example is included after the definition:

  • FED_PERSIST_ID = the user's private persistent ID. It can be any combination of numbers, letters, and symbols, with a 256-character limit. It is a value that is unique between the identity provider and the service provider(NIH). It is set to enable user privacy by preventing the correlation of activities between service providers.

FED_PERSIST_ID = M257J8&HOME%VALUE%00780098125300659

IMAPCII Attributes

There is one IMPACII attribute. An example is included after the definition:

  • IMPACII_USERID = the user's IMPACII userID

IMPACII_USERID = smithjd

NIH Login Specific Attributes

There are several HTTP headers that are sent to the application that should be used by NIH Login internally. These attributes have the “HTTP_SM” prefix. However, there is one attribute, SM_USER,that the application can utilize. This attribute is populated by the log-in value the user used during successful authentication against a particular user directory.

User directory / User directory authentication attribute
NIH Active Directory / samaccountname
NIH External Active Directory / samaccountname
eRA Commons OID / UID
Federation / UPN

Determining Level of Assurance

The authentication level of assurance (LOA) is determined by evaluating the USER_AUTHN_LOA header value. Since NIH Login is able to authenticate users with different credential types (such as user name/password, client certificates, smartcard certifications, federation assertions, etc.), the system uses a ranged approach to the NIST 800-63 level of assurance values (1-4).This allows the application to know what authentication mechanism was used during authentication and allow only specific authentication credentials to access a resource. For example, an application could be setup to only allow level 4 NIH issued PIV card certificates (USER_AUTHN_LOA = 460) and not allow FDA PIV card certificates (USER_AUTHN_LOA=440).

800-63 LOA / NIH Login LOA Range
1 / 100-199
2 / 200-299
3 / 300-399
4 / 400-499

Contact Information

For additional information on this web service, .