Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH
Page 2 Overview Architecture Web PIV authentication Flow Application integration Integration Services Center (ISC) Contact:
Page 3 Architecture integration Services Center (ISC) Contact:
Page 4 NIH Login AuthN Flow Part 1 User attempts to access a web resource. AuthN session valid? NIH Login displays login screen. User selects PIV card authentication. NIH Login requests certificate from browser. Access to requested web resource. Yes No Integration Services Center (ISC) Contact:
Page 5 NIH Login AuthN Flow Part 2 Does the browser respond with a cert. Is cert issued by a trusted CA? Is cert revoked ? (Verified via OCSP) Parse cert attributes. Is cert a PIV card? Display cert not found error. Display cert not trusted error. Display cert revoked. Display PIV card not found. Yes No Yes No Integration Services Center (ISC) Contact:
Page 6 NIH Login AuthN Flow Part 3 Encrypted token sent to Policy Server via web agent. Map Cert Attributes to a NIH AD account. Is a user found? HTTP headers includes user attributes plus AuthNContext = 460. Redirected to requested resource. Access to requested web resource. Display user mapping error. Yes No Integration Services Center (ISC) Contact:
Page 7 Application Integration New applications –SiteMinder Web Agent –Process the HTTP headers Current NIH Login protected apps –Authentication Scheme change Step-up authentication How to determine what credential was used? Integration Services Center (ISC) Contact:
Page 8 Determine AuthN Context NIST LOANIH Login LOA Range AuthN Context OpenID120 SAML130 InfoCard eRA Commons user/pass 230 NIH AD user/pass InfoCard HHS issued PIV to NIH User 460 Integration Services Center (ISC) Contact:
Page 9 Lets Get Started! NIH ISC Support Integration Services Center (ISC) Contact: