Researcher Auth Service Initiative

The NIH is the largest biomedical research agency in the world and home to many valuable data resources and platforms at the forefront of data science. These resources are stewarded by the NIH Institutes, Centers, and Office.  The National Institutes of Health (NIH) Researcher Auth Service (RAS) service is part of NIH’s efforts toward a modernized, FAIR, biomedical data ecosystem. RAS facilitates access to NIH’s open and controlled access data assets and repositories in a consistent, secure, and use-friendly manner and provides researchers with a single sign-on experience across participating data resources.  This service is provided by the NIH’s Center for Information Technology and developed in collaboration with the NIH Strategic Plan for Data Science.

NIH RAS is advancing data infrastructure and ecosystem goals as defined in the NIH Strategic Plan for Data Science by leveraging appropriate policies that promote stewardship and sustainability, including the Global Alliance for Genomics and Health (GA4GH) and OpenID standards for integration of researcher-focused applications and data repositories over the OpenID Connect (OIDC) platform. By offering a cloud-based, centralized authentication, authorization, and audit logging service (see diagram), NIH RAS is enhancing the overall security posture of the NIH data ecosystem. With RAS, NIH-supported data systems delegate important identity and access controls to this central NIH service – NIH RAS. For researchers working in the NIH data ecosystem, NIH RAS provides a single sign-on (SSO) experience that enhances the user experience when searching for and accessing NIH’s open and controlled data assets.

NIH RAS currently offers the following identity providers (IdPs) for users to log in and access NIH data systems:

1. NIH Login (NIH Login)
2. eRA Commons (eRA Commons)
3. Login.gov with multifactor authentication (Login.gov)
4. InCommon Federation with multifactor authentication (InCommon Federation)

NIH-supported systems interested in onboarding to the NIH RAS service should visit the NIH RAS Service Offerings website for more information and contact information.

The NIH RAS Project Team continued to work with NIH data system owners to complete new integrations and deliver enhanced NIH RAS service offerings. The NIH RAS Project Team released a formal standard operating procedure (SOP) to support integration workflows from onboarding through to production deployment. NIH RAS also added the InCommon Federation as a new Identity Provider (IdP), enabling researchers to securely access NIH data systems using their home institutional credentials and multifactor authentication. Researchers can now link their eRA Commons (“eRA”) identities, InCommon Federation credentials, and Login.gov credentials, so they can log into NIH RAS using any of those identities. As new IdPs are integrated with NIH RAS, researchers will be able to link those identities as well.

The NIH RAS Project Team completed a proof-of-concept (PoC) using the Google Cloud Provider (GCP) Certificate Authority Service (CAS) to establish a Private Certificate Authority (CA) to issue transport layer security (TLS) certificates that can achieve certificate-based mutual authentication using a zero-trust security framework. The mutual TLS (mTLS) capability will add another layer of security assurance to the NIH data ecosystem once it is released, which is expected to happen in early 2023.

Participating NIH Systems:

NIH Data Systems using NIH RAS in production environments:

• Common Fund (CF)
  • Common Fund Data Ecosystem (CFDE) Phase 1
  • Gabriella Miller Kids First Pediatric Data Resource Center (KFDRC) Milestone 1
• National Cancer Institute (NCI)
  • Cancer Research Data Commons (CRDC) Milestone 1
• National Human Genome Research Institute (NHGRI)
  • Genomic Data Science Analysis, Visualization, and Informatics Lab-space (AnVIL) Milestone 1
• National Heart, Lung, and Blood Institute (NHLBI)
  • BioData Catalyst (BDC) Milestone 1
• National Institute of Child Health and Human Development (NICHD)
  • Data and Specimen Hub (DASH)
• National Institute of Mental Health (NIMH)
  • NIMH Data Archive (NDA) Phase 1
• Office of the Director (OD)
  • All of Us (AoU) Researcher Workbench Phase 1
  • NIH COVID Rapid Acceleration Diagnostics (RADx) Data Hub 1.0

NIH Data Systems actively developing new or updated NIH RAS integrations:

• Center for Information Technology (CIT)
  • Biomedical Research Informatics Computing System (BRICS)
• Common Fund (CF)
  • 4D Nucleome
  • Common Fund Data Ecosystem (CFDE) Portal
  • Human BioMolecular Atlas Program (HuBMAP)
• National Cancer Institute (NCI)
  • Cancer Research Data Commons (CRDC) Milestone 3
• National Center for Biotechnology Information (NCBI)
  • Database of Genotypes and Phenotypes (dbGaP) Power User Portal (PUP)
• National Human Genome Research Institute (NHGRI)
  • Analysis, Visualization, and Informatics Lab-space (AnVIL) Milestone 3
  • AnVIL Data Use Oversight System (AnVIL-DUOS)
• National Heart, Lung, and Blood Institute (NHLBI)
  • Cardiovascular Development Data Resource Center (CDDRC)
  • BioData Catalyst (BDC) Milestone 3
  • Pediatric Cardiac Genomics Consortium (PCGC) HeartsMart
  • INvestigation of Co-occurring conditions across the Lifespan to Understand Down syndromE (INCLUDE) Data Hub
  • NIH Researching COVID to Enhance Recovery (RECOVER) Data Resource Core (DRC)
• National Institute on Aging (NIA)
  • NIA Genetics of Alzheimer's Disease Data Storage Site (NIA NIAGADS) ADDAPT Cloud Commons Integration
• National Institute of Allergy and Infectious Diseases (NIAID)
  • Data Ecosystem
  • ImmPort
• National Institute of Child Health and Human Development (NICHD)
  • Data and Specimen Hub (DASH) Phase 3
• National Institute of Drug Abuse (NIDA)
  • ABCD-Loris-Instance
• National Institute of Mental Health (NIMH)
  • NIMH Data Archive (NDA) Phase 2
• National Library of Medicine (NLM)
  • Lister Hill Center – Research Data Finder (LHC-RDF)
• Office of the Director (OD)
  • Gabriella Miller Kids First Pediatric Data Resource Center (KFDRC) Milestone 3
  • Gabriella Miller Kids First Pediatric Data Resource Center (KFDRC) Undiagnosed Disease Network (UDN)
  • NIH COVID Rapid Acceleration Diagnostics (RADx) Data Hub 2.0

August 2020 – Phase 2 Partner Development Workshop

With COVID-19 preventing travel and large gatherings, January workshop attendees joined a virtual workshop to hear Phase 1 partner system lessons learned, progress updates, and view demonstrations of the new researcher workflows facilitated by their RAS integrations. Phase 2 partner system developers described their integration use cases and technical requirements for RAS Phase 2, including an extension of RAS-federated identity providers, accounting linking, and user experience modifications. RAS Phase 2 features are scoped for code completion in early November so RAS can deploy updates before the end of the year.

National Institute of Environmental Health Sciences (NIEHS), National Center for Advancing Translational Sciences (NCATS), and National Institute of Allergy and Infectious Diseases (NIAID) attended the workshop as potential future RAS partners.

August 2020 – Phase 1 Production Release

NIH deployed a RAS-dbGaP Visa and associated services that allow researchers to log in to RAS one time to access any integrated repository and run an analysis for up to 15 days without re-authenticating. NIH staff or extramural researchers can log into integration systems/applications using their NIH or eRA Commons credentials. Auth tokens move with the researcher as they navigate to any of the four Phase 1 Data Platforms. Existing rules for authorization are enforced so a user can only access data they have been authorized to view.

RAS uses open standards and protocols and provides integrating systems with many standards-based options for integration.

January 2020 – Phase 1 Partner Development Workshop

The RAS team hosted a workshop at NIH to provide partners with an update on the current state of RAS and the identity and access data available in RAS. The workshop also provided participants an opportunity to agree on the design for each RAS integration use case (interoperability step-by-step, application-to-application) and define the data to be contained within the tokens.

In addition to the participating NIH ICs, the following organizations were present: University of Chicago, Gen3, Children’s Hospital of Philadelphia (CHOP), Broad Institute, Renaissance Computing Institute (RENCI), Seven Bridges, Globus, Johns Hopkins, University of Maryland, and Institute for Systems Biology (ISB).

Important progress was made toward finalizing the initial architecture for Phase 1 of RAS-IC System integration use cases (CRDC/AnVIL, KFDRC/BioData Catalyst), and discussions were initiated for Phase 2 integrations (NDA, AoU, CFDE, NCBI). RAS also gathered requirements for security, technical research spikes, the first RAS-dbGaP Visa (based on GA4GH standards), and longer-term requirements.

October 2019 – Globus-eRA Integration

NIH staff and extramural researchers with an electronic Research Administration (eRA) Commons account can now use those credentials with Globus to access resources and services. This integration is the result of a partnership between the NIH CIT and Globus, a division of the University of Chicago that provides data management capabilities—including managed data transfer and sharing—to research organizations.

When a researcher visits Globus, he or she will be able to login using eRA Commons credentials thanks to the OpenID Connect protocol. This new NIH capability provides greater flexibility and can be rapidly adopted and extended to support other integration partners in the future.