Earthdata Login is a single sign-on solution for all Earth Observing System Data and Information System (EOSDIS) system components and data services, providing a single mechanism for user registration and profile management. Earthdata login also helps EOSDIS better understand the usage of EOSDIS services to improve user experience through customization of tools and improvement of services. EOSDIS data are openly available to all and free of charge except where governed by international agreements.
The key objectives of Earthdata Login are:
- For NASA's Earth Science Data and Information Systems (ESDIS) Project: to enable better management of EOSDIS through better understanding of end users. Earthdata Login does this by collecting data access metrics on users based on information provided by them in their profiles.
- For users: to support a number of EOSDIS enterprise-level features including single sign-on, being able to receive news/notifications on data and services, and (in the future) greater support for customizable interfaces, context awareness, saved preferences, and more.
Details about Earthdata Login are available on NASA's Earthdata Developer Portal at https://developer.earthdata.nasa.gov.
For the purpose of this document, several concepts are defined here:
“All are welcome. But please tell us something about yourself.”
Registration in the EOSDIS context is a user identifying him or herself through a unique ID that allows for consistent tracking by ESDIS Metrics System (EMS) and other ESDIS systems of that user’s data access across EOSDIS applications. ESDIS manages the password requirements for Earthdata Login and it is not mandated to enforce NASA Account Management System (NAMS/IdMAX/Launchpad) requirements for registration.
“Prove that you are who you say you are.”
Authentication is the process of credibly determining whether someone or something is, in fact, who or what they declare themselves to be. This is often done through the exchange of a set of credentials with an authorizing entity, which compares those credentials to a reliable and trusted copy stored in a protected environment.
“All are not welcome. Are you authorized to use this application?”
Authorization is the process of giving someone permission to perform an action or gain access to protected data or informational resources.
2.4 Single Sign-On (SSO)
Earthdata Login provides users with Single-Sign-On (SSO) access to Earthdata applications. This enables a user to login via Earthdata Login once and access multiple Earthdata Login-integrated applications without being prompted for each application separately.
2.5 User Profiles
Every user that creates a profile with Earthdata Login provides at least some information (first name, last name, email address, etc.). This information is collectively called the user profile and it is available to applications when a registered user accesses that application. Users may view or modify their user profiles at any time.
Currently, when a user accesses an application for the first time, they must explicitly “authorize” that application. This grants the application access to information in the user’s profile. User profiles currently contain the following information: unique id, first name, last name, middle initial, email address, country, phone, fax, user type (Production User, Science Team, QA Testing User, Data Provider Internal User, Public User), study area (with large drop-down list), organization, and affiliation (Government, Education, Non-profit, or free-form text). Items in bold are mandatory.
Individual Earthdata Login applications may require additional information from the user or require that optional fields be mandatory. For example, applications providing access to Sentinel data require that the study area (optional by default) be provided. If not already in the profile, the user will be redirected to their profile management page and instructed to provide the missing information. Similarly, applications may also require that users agree to an End User License Agreement (EULA). The Earthdata Login API provides these capabilities to applications.
3. ESDIS Policies with Earthdata Login
3.1 Earthdata Login Applications
Earthdata Login only supports EOSDIS user registration for applications deployed within EOSDIS by ESDIS and the DAACs for the purpose of collecting metrics on data access. Applications developed and/or deployed externally (outside of EOSDIS) need not themselves use Earthdata Login, however, they may be clients of Earthdata Login applications.
3.1.1 Applications that should use Earthdata Login
It is ESDIS policy that all Distributed Active Archive Center (DAAC) and ESDIS applications where data from data products are retrieved by humans or machines use Earthdata Login. Such applications must be open to all users without restriction. Note that the requirement for additional user information in the user profile for some data products (e.g. study area for Sentinel data) is not considered a restriction. Such applications include:
- Direct downloads of data via http/https, ftp, EOSDIS Core Systems (ECS) datapools
- Data access to data or streaming data via data services such as Open-source Project for a Network Data Access Protocol (OPeNDAP) and Grid Analysis and Display System (GrADS) Data Server
3.1.2 Applications that may use Earthdata Login
Some applications that require some form of registration for purposes of identity only (but that are unrestricted and open to all users) may opt to use Earthdata Login as a convenience to users. An example of this is a user support forum.
3.1.3 Applications that should NOT use Earthdata Login
ESDIS policy is that DAAC and ESDIS applications that do not retrieve data from data products should not use Earthdata Login. Such applications include:
- Access to general Website information
- Applications that allow users to explore/search/learn about data and tools
- Dataset landing pages
- Access to metadata associated with data
- Access to browse imagery (including full-resolution browse) and other portrayals of data such as plots, graphs, statistics
3.1.4 Applications that are PROHIBITED from using Earthdata Login
Applications that will be prohibited from using Earthdata Login are those that require authentication or authorization because they allow users to alter data on a NASA system or they allow access to information that is restricted (e.g. ITAR, SBU). NASA policy requires such applications to instead use NAMS (https://idmax.nasa.gov/nams/user/), IdMAX (https://idmax.nasa.gov/), Launchpad, or other NASA security compliant systems (http://www.nasa.gov/offices/ocio/launchpad_faq.html). NAMS, IdMAX, and Launchpad are already NASA-compliant and in many cases have their own APIs, workflows, and processes for application on-boarding.
It is NASA policy that Earthdata Login not be used for such applications. ESDIS will identify such applications currently using Earthdata Login and require that they be transitioned to NASA security compliant systems.
3.2 Hidden Data
Although EOSDIS data are open to all users, some data products may temporarily be hidden from the general public by limiting access to these products to particular science team or principle investigator team members. This is often the case for products from new missions during initial checkout and for updated versions of existing collections. Such data are not considered restricted from a security standpoint and, hence, NASA security procedures do not apply. As such, ESDIS policy permits Earthdata Login to be used to provide limited access to hidden data.
3.3 Information in User Profiles
By default, Earthdata Login user profiles contain fields for the following information: first name, last name, middle initial, email address, country, telephone, fax number, user type, study area, organization, and affiliation. Of these, first name, last name, email address, country, and affiliation are mandatory. Earthdata Login applications may specify that that one of the optional fields be mandatory (as is study area for Sentinel data) or specify additional fields that need to be added.
ESDIS policy prohibits user profiles from containing any Personally Identifiable Information (PII), International Traffic in Arms Regulations (ITAR), or Sensitive But Unclassified (SBU) information and Earthdata Login applications are prohibited from requesting such information from users.
3.4 User Opt-Out For Being Contacted
ESDIS policy allows users to opt out of being contacted by DAAC or ESDIS personnel at any time and Earthdata Login allows users to invoke the opt-out feature from the user profile management Web page.
3.5 Earthdata Login Onboarding Process
ESDIS policy is to provide support only for applications appropriate for Earthdata Login. For applications inappropriate for Earthdata Login or requiring NASA authentication/authorization, ESDIS will share information gained from the transitioning of ESDIS applications (Bamboo, JIRA, Jama) to NAMS/IdMAX/Launchpad with any DAACs that also have to transition their applications.
3.5.1 Onboarding of New Applications
ESDIS must approve the onboarding of all new applications to Earthdata Login. The details of the process are TBD, but the goal will be to make sure that only appropriate applications use Earthdata Login.