Earthdata Login Overview and Policy, v1.2
Earthdata Login is a single sign-on solution for all EOSDIS system components and data services, providing a single mechanism for user registration and profile management. Earthdata Login also helps the ESDIS Project better understand NASA Earth science data users resulting in improved user experience and better services.
The key objectives of Earthdata Login are:
- For ESDIS: to enable a greater understanding of end users based on metrics and information provided in user profiles.
- For end users: improved user experience including single sign-on, being able to receive news/notifications on data and services, and (in the future) greater support for customizable interfaces, context awareness, saved preferences, and more. Details about Earthdata Login are available on the Earthdata Developer Portal at https://developer.earthdata.nasa.gov.
For the purpose of this document, several concepts are defined here:
“All are welcome. But please tell us something about yourself.”
Registration in the EOSDIS context is a user identifying him or herself through a unique ID that allows for consistent tracking by ESDIS Metrics System (EMS) and other ESDIS systems of that user’s data access across EOSDIS applications. ESDIS manages the password requirements for Earthdata Login and it is not mandated to enforce NAMS/IdMAX/Launchpad requirements for registration. Earthdata Login only provides support for registration.
“Prove that you are who you say you are.”
Authentication is the process of credibly determining whether someone or something is, in fact, who or what they declare themselves to be. This is often done through the exchange of a set of credentials with an authorizing entity, which compares those credentials to a reliable and trusted copy stored in a protected environment. Earthdata Login does not provide NASA-compliant authentication and is not approved for applications requiring authentication.
“All are not welcome. Are you authorized to use this application?”
Authorization is the process of giving someone permission to perform an action or gain access to protected data or informational resources. Earthdata Login does not provide NASA-compliant authorization and it is not approved for applications requiring authorization.
2.4 Single Sign-On (SSO)
Earthdata Login provides users with Single-Sign-On (SSO) access to a variety of Earthdata applications. This enables a user to login via Earthdata Login once and access multiple Earthdata Login-integrated applications without being prompted for each application separately.
2.5 User Profiles
Every user that creates a profile with Earthdata Login provides at least some information (first name, last name, email address, etc.). This information is collectively called the user profile and the information that it contains is available to applications when a user accesses that application. Users may view or modify their user profiles at any time.
Core information in the user profile currently includes:
In addition, user profiles contain information on whether End User License Agreements (EULAs) have been agreed to or not.
By default, all Earthdata Login applications are automatically authorized to have read access to core information in a user’s profile. This happens transparently to the user. Individual Earthdata Login applications may require additional information from the user or require that optional fields be mandatory. For example, applications providing access to Sentinel data require that the study area (optional by default) be provided. In such cases, authorization is not automatic and the user is required to agree to authorizing the application. Further, if the additional information is not already in the user’s profile, the user will be redirected to their profile management page and instructed to provide the missing information. This includes agreeing to any End User License Agreements (EULAs). The Earthdata Login API provides these capabilities to applications.
3. ESDIS Policies with Earthdata Login
3.1 Earthdata Login Applications
Earthdata Login only supports user registration for applications deployed or to be deployed within EOSDIS by ESDIS and the DAACs for the purpose of collecting metrics on data access. Applications deployed externally (outside of EOSDIS) need not themselves use Earthdata Login, however, they may be clients of Earthdata Login applications.
3.1.1 Applications that should use Earthdata Login
It is ESDIS policy that all DAAC and ESDIS applications where data from data products are retrieved by humans or machines use Earthdata Login. Such applications must be open to all users without restriction. Note that the requirement for additional user information in the user profile for some data products (e.g. study area for Sentinel data) is not considered a restriction. Such applications include:
Direct downloads of data via http/https, ftp, ECS datapools Data access to data or streaming data via data services such as OPeNDAP and GrADS Data Server
3.1.2 Applications that may use Earthdata Login
Some applications that require some form of registration for purposes of identity only (but that are unrestricted and open to all users) may opt to use Earthdata Login as a convenience to users. An example of this is a user support forum.
3.1.3 Applications that should NOT use Earthdata Login
ESDIS policy is that DAAC and ESDIS applications that do not retrieve data from data products or provide some benefit to registered users (e.g. saving of user preferences) should not use Earthdata Login. Such applications may include:
Access to general Website information Applications that allow users to explore/search/learn about data and tools Dataset landing pages Access to metadata associated with data Access to browse imagery (including full-resolution browse) and other portrayals of data such as plots, graphs, statistics
3.1.4 Applications that are PROHIBITED from using Earthdata Login
Applications that will be prohibited from using Earthdata Login are those that require authentication or authorization because they allow users to alter data on a NASA system or they allow access to information that is restricted (e.g. ITAR, SBU). NASA policy requires such applications to instead use NAMS (https://nams.nasa.gov), IdMAX (http://itcd.hq.nasa.gov/idmax.html), Launchpad, or other NASA security compliant systems (http://www.nasa.gov/offices/ocio/launchpad_faq.html). NAMS, IdMAX, and Launchpad are already NASA-compliant and in many cases have their own APIs, workflows, and processes for application on-boarding.
It is NASA policy that Earthdata Login not be used for such applications. ESDIS will identify such applications currently using Earthdata Login and require that they be transitioned to NASA security compliant systems.
3.2 Hidden Data
Although EOSDIS data are open to all users, some data products may temporarily be hidden from the general public by limiting access to these products to particular science team or principal investigator team members. This is often the case for products from new missions during initial checkout and for updated versions of existing collections. Such data are not considered restricted from a security standpoint and, hence, NASA security procedures do not apply. As such, ESDIS policy permits Earthdata Login to be used to provide limited access to hidden data.
3.3 Information in User Profiles
ESDIS policy prohibits user profiles from containing any Personally Identifiable Information (PII), International Traffic in Arms Regulations (ITAR), or Sensitive But Unclassified (SBU) information and Earthdata Login applications are prohibited from requesting such information from users. See Section 2.5 for core information in user profiles.
Because of the added burden to end users, it is ESDIS policy that EULAs only be used when agency, interagency, international, or other formal agreements require them.
ESDIS policy prohibits Earthdata Login applications from modifying user profiles directly. Only users can modify their own profiles.
3.4 User Opt-Out For Being Contacted
ESDIS policy allows users to opt out of being contacted by DAAC or ESDIS personnel at any time and Earthdata Login allows users to invoke the opt-out feature from the user profile management Web page. The opt-out option is presumed waived in cases where users initiate contact (e.g. through joining email lists or by placing an order to be fulfilled).
3.5 Earthdata Login Onboarding Process
ESDIS policy is to provide support only for applications appropriate for Earthdata Login. For applications inappropriate for Earthdata Login or requiring NASA authentication/authorization, ESDIS will share information gained from the transitioning of ESDIS applications (Bamboo, JIRA, Jama) to NAMS/IdMAX/Launchpad with any DAACs that also have to transition their applications.
3.5.1 Onboarding of New Applications
ESDIS must approve the onboarding of all new applications to Earthdata Login. The details of the process are TBD, but the goal will be to make sure that only appropriate applications use Earthdata Login.