Frequently Asked Questions

What is CILogon?

CILogon (https://cilogon.org) enables researchers to log on to cyberinfrastructure (CI). CILogon provides a gateway from campus SAML authentication to OIDC tokens. CILogon provides an integrated open source identity and access management platform for research collaborations, combining federated identity management (Shibboleth, InCommon) with collaborative organization management (COmanage). Federated identity management enables researchers to use their home organization identities to access research applications, rather than requiring yet another username and password to log on. Collaborative organization management enables research projects to define user groups for authorization to collaboration platforms (e.g., wikis, mailing lists, and domain applications). CILogon implements the AARC Blueprint Architecture and the REFEDS Assurance Framework.

What is CILogon 2.0?

CILogon 2.0 (now available) integrates COmanage into the CILogon platform for collaborative organization management. COmanage services are provided by subscription.

How does CILogon work?

CILogon is a member of InCommon, a federation of universities and other organizations. Many of these organizations maintain an authentication service to provide their users with web single sign-on. An InCommon member organization can partner with the CILogon Service to provide user information for the purpose of accessing cyberinfrastructure.

CILogon is implemented by a web application that uses InCommon (SAML) for authentication. Users authenticate to CILogon via the SAML protocol using their campus credentials. The InCommon federation publishes public keys for identity providers (i.e., campuses) and service providers (i.e., CILogon) so they can trust each other. CILogon takes the user information (name, email, unique ID) from the SAML assertion issued by the campus, optionally adds subscriber-specific information, and issues JSON tokens containing that information via OAuth/OIDC.

How do I use CILogon to obtain an X.509 certificate?

CILogon is retiring our X.509 certificate services. See CILogon X.509 Certificate Retirement Plan for details.

How do I use CILogon for web authentication?

Please see: https://www.cilogon.org/oidc 

What attributes, claims, or scopes does each identity provider support?

See https://www.cilogon.org/oidc for a list of claims and scopes that CILogon supports. CILogon will always provide the sub (subject) and iss (issuer) claims, but no other claims are guaranteed to be provided. Different identity providers will provide different attributes to CILogon. Often, a single identity provider will provide different attributes to CILogon for different users (faculty versus students, for example). 

Why am I not receiving user attributes that I expect?

Please see: What claims can you expect to receive?

How do I use CILogon for JWT (SciTokens, WLCG Tokens, GA4GH Passports) authorization?

Please see: https://www.cilogon.org/jwt 

Which identity provider should I select?

Please see: How to Select an Identity Provider

What identity providers does CILogon support?

CILogon supports InCommon, eduGAIN, Google, GitHub, ORCID, and Microsoft identity providers. Visit https://cilogon.org/ to view the full list of identity providers that CILogon supports.

What should I do if there is a problem with an identity provider?

CILogon staff try to proactively address problems with identity providers, and you are welcome to contact help@cilogon.org for assistance with a specific identity provider, but in most cases, the best course of action is for users to report problems with their campus identity provider via their local IT support channels. CILogon supports over 5000 identity providers around the world, and in our experience, a problem often receives higher priority when it is reported by a local campus member rather than the CILogon team.

Why isn't my identity provider in CILogon's list?

CILogon's list of IdPs (https://cilogon.org/idplist/) comes directly from InCommon federation metadata (https://www.incommon.org/federation/metadata/). In general the list includes all the IdPs registered with InCommon plus all the IdPs that InCommon imports from eduGAIN. An IdP may be missing from the list for the following reasons:

• The IdP is not registered with InCommon or exported to eduGAIN. https://technical.edugain.org/entities and https://www.incommon.org/federation/incommon-federation-entities/ are the places to check.

• The IdP is marked hide-from-discovery. See: https://spaces.at.internet2.edu/x/DQjvCQ

• InCommon dropped the IdP during the eduGAIN import process because it failed a policy check. See: https://spaces.at.internet2.edu/x/YwfvCQ

• CILogon has (temporarily) blocked the IdP (very rare). In this case the IdP will be missing from https://cilogon.org/include/idplist.xml.

Does CILogon support additional SAML identity providers?

Yes, in addition to the IdPs from InCommon and eduGAIN, CILogon subscribers have the option of federating their identity provider directly with CILogon.

Which identity providers support the REFEDS R&S and SIRTFI Standards?

View https://cilogon.org/include/idplist.xml to see which IdPs conform to https://refeds.org/sirtfi and https://refeds.org/category/research-and-scholarship.

What level of assurance does CILogon support?

InCommon and eduGAIN identity providers implement the REFEDS Assurance standard. CILogon can provide the eduPersonAssurance claim to OIDC clients according to this standard.

Additionally, CILogon supports the REFEDS SFA and REFEDS MFA profiles for authentication assurance. CILogon can provide the acr claim to OIDC clients according to these standards.

Unfortunately, there is no listing of which identity providers support these standards or data on assurance adoption across the federations.

CILogon expects identity providers to assert conformance to these assurance profiles without requiring an explicit SAML RequestedAuthnContext from CILogon. CILogon does not use RequestedAuthnContext because it causes errors at many identity providers.

CILogon previously supported the InCommon Silver and InCommon Bronze level of assurance, but those levels are now obsolete and have been replaced by REFEDS Assurance.

What OAuth Providers does CILogon support?

CILogon supports Google, GitHub, ORCID, and Microsoft OAuth Providers.

To the best of our knowledge, none of these Providers support OAuth or OpenID Connect assurance standards.

What is ORCID?

ORCID provides a persistent digital identifier that distinguishes you from every other researcher and, through integration in key research workflows such as manuscript and grant submission, supports automated linkages between you and your professional activities ensuring that your work is recognized. Find out more

How does CILogon use ORCID?

CILogon uses ORCID to allow you to sign into cyberInfrastructure using your ORCID iD. CILogon will confirm your identity using ORCID. If you chose Deny and would like to reconsider, please go back and select ORCID to login. When the authorization screen appears, please choose Authorize. You can revoke access at anytime through your ORCID account settings.

Is my university a member of the InCommon federation?

Visit the InCommon Participants page for the most up-to-date information on InCommon federation membership. If your university is not yet a member of InCommon, contact us and we can work together to encourage your university IT group to join. If your university is a member, check the InCommon Identity Providers listing to see if your university operates an identity provider.

Will CILogon work with international identity providers?

Yes, CILogon accepts international identity providers via eduGAIN.

Do I need to enter my campus password every time I use CILogon?

Both CILogon and campus identity providers set session cookies in your browser to reduce the number of times during the day that you are prompted for your password. Policies vary across campuses, but in general, if you do not close your browser, you should typically only need to log in at to your campus identity provider once per session, providing "single sign-on" across different InCommon services and different uses of CILogon. If you are using a shared computer, be sure to close your browser and log out when you finish your session.

Can I integrate CILogon with my web application or portal?

Yes, see OIDC for details.

Where can I find CILogon logos and buttons for my web site or presentation?

Thank you for helping to spread the word about CILogon. Logos and buttons are available at https://cilogon.org/example.

How do I test that my campus identity provider works with CILogon?

Visit https://test.cilogon.org/testidp/ and select your campus identity provider from the list. If your authentication is successful, the CILogon Service will display a page showing the attributes about you that your campus provided to CILogon.

How can I modify or reset my CILogon preferences?

Most CILogon preferences (such as your choice of identity provider) are set in browser cookies. Visit https://cilogon.org/me/ to manage your CILogon browser cookies.

How can I view and delete browser cookies set by the CILogon?

Visit https://cilogon.org/me/ to manage your CILogon browser cookies. Click the "Delete ALL" button to delete the session and persistent cookies specific to CILogon.

One of my user attributes was deleted at my Identity Provider, but CILogon still asserts the user attribute. Why?

When a user attribute is asserted by an Identity Provider to CILogon, that user attribute is stored in the CILogon database. Database attributes are never erased, only overwritten by new, non-empty values asserted by the Identity Provider. If you would like to remove one of your user attributes from the CILogon database, please contact help@cilogon.org. Note however that this may affect downstream third parties which rely on your user attributes. To view user attributes asserted by your Identity Provider, visit https://test.cilogon.org/testidp/.

Where can I find the SAML metadata for CILogon?

CILogon is an InCommon member. Our SAML metadata is published by InCommon. See https://www.incommon.org/federation/metadata/ for more details. Here is a direct link to the CILogon metadata from InCommon's Metadata Query Service: https://mdq.incommon.org/entities/https%3A%2F%2Fcilogon.org%2Fshibboleth 

Why should I use CILogon?

CILogon (https://cilogon.org) provides a bridge from campus authentication, via the InCommon Federation, to JWT/OAuth/OIDC-based research cyberinfrastructure (CI).

Using the InCommon Federation and campus authentication means that CI users and providers don't need to manage CI-specific passwords. While federated authentication may be an unfamiliar technology, it can simplify the management and provisioning of user credentials. Rather than deploying another identity management system to meet a specific CI need, we can work together to improve the capabilities provided by the InCommon Federation to the benefit of the national academic community. The InCommon Federation is well-established, is growing, and builds on the high-quality, local identity management processes already present on university campuses serving the academic research community. Using common security mechanisms such as federated authentication and certificates can also enable collaborations across CI providers and internationally.

We recommend evaluating whether to accept campus authentication directly via the InCommon Federation or to use CILogon as an intermediary according to your particular circumstances. We'd be happy to discuss with you whether CILogon is a good fit for your needs.

Can I run my own CILogon instance?

CILogon (https://cilogon.org) is Open Source software. All CILogon source code is at https://github.com/cilogon/. You could use this software to deploy your own instance(s) of the CILogon Service, customized for your needs. However, the CILogon project has already invested in providing a reliable, professionally managed, IGTF accredited and REFEDS R&S certified service at https://cilogon.org, which we recommend CI projects to use, rather than duplicating our operational effort. As always, we'd be happy to discuss different hosting options with you.

Can you provide a custom CILogon instance for my project?

CILogon supports customization for more seamless integration with different cyberinfrastructures. Customization options include "skins" (available as part of Essential and Full Service subscriptions) that change the appearance and behavior of the CILogon web site tailored to the needs of specific CI communities. We understand the importance of a consistent look-and-feel for the user experience and that it can be jarring for users to be redirected between a CI project web site, the CILogon web site, and a University authentication site, each with their own color schemes, icons, and layout. Please contact us for more information about customization options.

What CILogon customization options are available?

CILogon "skins" are selected by including a "skin" (or "vo") parameter in the URL. Here are some examples:

• https://cilogon.org/default - The default CILogon interface. Use this URL to reset your skin back to the default.

• https://cilogon.org/?skin=illinois - This skin provides an customized interface for the University of Illinois.

• https://cilogon.org?skin=ooi - This skin provides a customized interface for Ocean Observatories Initiative users. 

• https://cilogon.org?skin=osg - This skin provides a customized interface for Open Science Grid users. 

• https://cilogon.org?skin=xsede - This skin provides a customized interface for XSEDE users. 

How can I customize how CILogon integrates with my application?

For Essential and Full Service subscribers, CILogon supports many customization options including:

• Custom IdP list and default selected IdP

• Custom OIDC claims

• Bypass CILogon IdP selection screen

Please don't hesitate to contact help@cilogon.org to request custom behavior for your application.

How can I be notified of CILogon service outages/downtime?

Please see: Outages

How can I be notified when new identity providers are added to CILogon?

Send email to idp-updates+subscribe@cilogon.org to subscribe to the idp-updates@cilogon.org group. Be sure to allow email from idp-updates@cilogon.org . To unsubscribe, send email to idp-updates+unsubscribe@cilogon.org . Updates typically occur weekdays 3p-4p Central time. 

How does CILogon relate to Globus Auth?

Globus Auth provides identity, profile, and group management as part of the Globus Service Platform. Globus Auth implements InCommon authentication via CILogon's OAuth interface. In this way, cyberinfrastructure such as OSG Connect and DOE KBase gain access to CILogon services by integrating with Globus Auth. Thus, Globus Auth subscribers benefit from CILogon 2.0 enhancements, particularly support for international identity providers. While Globus Auth provides identity linking and group management capabilities, we believe the group management provided by COmanage in the CILogon 2.0 platform introduces added benefits. COmanage provides significant flexibility in enrollment workflows, a robust plugin model, and standard interfaces to LDAP and SAML. Unlike Globus Auth, the CILogon 2.0 platform, including COmanage, is open source.

How do I log out from CILogon?

Go to https://cilogon.org/logout to clear CILogon authentication session cookies from your web browser. You may also be shown a link to optionally log out of your selected Identity Provider. 

My question isn't answered here. How can I get more information?

Please contact us at help@cilogon.org.