Siteminder/OpenID

Anthony FletcherDivision of Computational Bioscience

Center for Information Technology

mAdb Microarray Data Management & Analysis System

mAdb Microarray Data Management & Analysis System

• Has 200 active users at any one time• Users come and go depending on the stage of

their research• 20%-30% are external users• There are users from Germany, Italy, Spain,

Chile etc.• Many external users were once at NIH• All external users have an NIH sponsor

Human Salivary Proteome ProjectCIT and NIDCR

• Expect approximately 50 to 100 users

• Most users from outside NIH, some outside USA

• Users invited by NIDCR

How do we handle external users?

• inCommon Federation – Not every organisation belongs

• NIHext LDAP– Cumbersome to enter user information

• OpenID– Choose Google, Yahoo!, VeriSign, PayPal– Not a free ride; a lot of information is missing or

wrong

Authentication and Authorisation

• Authentication: who is this person?• Authorisation: shall we let this person in?

OpenID provides authentication not authorisation. Each application still has to authorise users.

What do you get? NIH Staff

• First name• Last name• All of my NIH

information :-)

What do you get? Google

Yahoo! is similar

What do you get? VeriSign

Email address is at user’s discretion, and may not even be valid

PayPal is similar

What can you rely on?

You can only reply on:• Persistent ID (HTTP_FED_PERSIST_ID header)– https://openid.paypal-ids.com/?

jwDOK7gSp3GHu7gAxPJmt0RI1CWmd2JFuK02i23TYeY=

• User UPN (HTTP_USER_UPN header)– Generated by CIT/DECA– user_31@federation_1.nih.gov

Use these as your user identification

OpenID Pros

• No need to manage user passwords• Users are able to freely get accounts with

these four vendors• Open to every user• Many users already have accounts

OpenID Cons

• Lack of information being passed through• Still need to collect information from the user

when identity is registered• Persistent ID is not as pretty as a username

Progress

• mAdb are well on their way to implementing this for their external users

• HSPP currently use inCommon but will need to use OpenID for some of their users

• Other CIT/DCB projects are using NIHext, where OpenID would be a better option

In Conclusion

• NIHlogin is easy to use• OpenID works with NIHlogin• OpenID in excellent replacement for NIHext,

or otherwise managing accounts, for low assurance Web applications

Questions