Network Authentication and Authorization Services (NAAS)

**In April 2021, the Network Authentication and Authorization Service will migrate to a new platform. U.S. EPA migrated the TEST environment on April 5. Partners should test their EN data flows and connectivity in the TEST environment and report any issues to the EN Help Desk. EPA plans to migrate the PRODUCTION NAAS environment on the weekend of April 24. See this EN Alert for more details. 


Network Authentication and Authorization Service (NAAS) is a set of shared security services for the Network Nodes, which includes user authentication, identity management, policy management, and access control. NAAS is hosted centrally by EPA and available to all network nodes; however, users and access control policies of a node are managed independently by the node administrator. It can be viewed as the federation of state node security models.

NAAS facilitates single sign on (SSO) in the Exchange Network. Once an account is created by a node administrator, the account can be used to access all Network nodes as long as it is authorized. Once a user is authenticated by NAAS, the user is issued a security token, which is a valid proof of authentication to all nodes. A user account must be unique in NAAS and it is strongly recommended that the user’s email address be used as the account ID.

User Authentication Scheme

NAAS supports many authentication schemes including password, digest, HMAC, XKMS Key and X.509 Certificate authentication. Authentication through WS-Security with X. 509 token is also supported.

For machine-to-machine authentications, NAAS implemented a special mechanism: Secure Authentication Key (SAK). SAK is an encrypted multi-factor credential tied to a machine IP address and a user account. It can be used as the replacement of password for Network Nodes or other web applications.

NAAS Versions and Endpoints

There are two versions of NAAS. NAAS v2.0 is designed for Node v1.1. NAAS v3.0 is designed for Node v2.1. Node v2.1 must use NAAS v3.0 as its security service. NAAS v2.0 user accounts and v3.0 user accounts are compatible. In other words, if you have a Node v1.1 account, it is valid for node v2.1 as well. Technical specifications of NAAS v2.0 and NAAS v3.0 are available from the Exchange Network Help Desk.

The endpoints and WSDLs for NAAS follow:

NAAS v2.0 [Test Environment]

NAAS v2.0 [Production Environment]

NAAS v3.0 [Test Environment]

NAAS v3.0 [Production Environment]

Implementation Tips

For nodes or clients that use Axis toolkit, Axis2 v1.4.1 client uses “transfer-encoding:chunked” in the service request by default. This default transfer-encoding has to be turned off in the Axis2 client to work.