What is the CILogon Service?The CILogon Service (https://cilogon.org) allows users to authenticate with their home organization and obtain a certificate for secure access to CyberInfrastructure (CI). More information about using campus authentication for access to CI, including the role that the CILogon Service plays, is provided in the Roadmap for Using NSF Cyberinfrastructure with InCommon. How does the CILogon Service work?The CILogon Service is a member of InCommon, a federation of over 200 universities, agencies, and organizations. Many of these organizations maintain an authentication service to provide their users with web single sign-on. An InCommon member organization can partner with the CILogon Service to provide user information for the purpose of issuing certificates. These certificates can then be used for accessing cyberinfrastructure resources. How do I use the CILogon Service?
Select an identity provider from the list at https://cilogon.org, then click the
"Log On" button. Your web browser will be redirected to your identity provider's login page. After you authenticate with your identity provider as you typically would, your web browser will be redirected back to
the CILogon Service. Then you will be able to obtain a
certificate for use with cyberinfrastructure resources. Which identity provider should I select?Please see: How to Select an Identity ProviderWhat if I don't see my organization listed on the CILogon Service?If you don't have an account with any of the organizations listed at https://cilogon.org, you can register for a ProtectNetwork UserID. Also, you can make a request for your organization to appear in the list of available organizations. Identity Provider administrators can view the InCommon Participant Operational Practices document for the CILogon Service and then test and add their identity provider to the CILogon Service according to the procedure for adding a new identity provider. Is my university a member of the InCommon federation?Visit the InCommon Participants page for the most up-to-date information on InCommon federation membership. If your university is not yet a member of InCommon, contact us and we can work together to encourage your university IT group to join.Can I use OpenID with the CILogon Service?Yes, the CILogon Service supports the use of OpenID in addition to InCommon authentication. Many users have an OpenID account without even knowing it. For example, you can use your Google account for OpenID authentication. However, the certificates issued to OpenID users may be accepted by fewer cyberinfrastructure resource providers than those issued to InCommon users (see the Relying Parties page for details). Where can I use my certificate from CILogon?We are currently working actively with CI projects (including Open Science Grid, Ocean Observatories Initiative, and DataONE) to enable access using CILogon certificates. At the current time, these efforts are all in a "pilot" phase, as documented at http://ca.cilogon.org/rp. If you are interested in helping with early testing, please contact help@cilogon.org.
How do I use my certificate from CILogon?The certificates issued by the CILogon Service (https://cilogon.org) are standard RFC 5280 X.509 end entity certificates, specifically designed to work with the wide variety of software packages that already support certificates. For specific tips and pointers for using CILogon certificates with different applications, see the Using Certificates page.Do I need to use a web browser to get my CILogon certificate?The CILogon Service (https://cilogon.org) supports browser-based authentication methods (InCommon and OpenID) for obtaining certificates. Once you have downloaded your certificate, you can use it outside your web browser. Recently, the CILogon Service has added experimental support for the SAML Enhanced Client Profile (ECP) for non-browser access. Please see http://www.cilogon.org/ecp for details.
Do I need to enter my campus password every time I use the CILogon Service?Both the CILogon Service and campus identity providers set session cookies in your browser to reduce the number of times during the day that you are prompted for your password. Policies vary across campuses, but in general, if you do not close your browser, you should typically only need to log in at to your campus identity provider once per session, providing "single sign-on" across different InCommon services and different uses of the CILogon Service. If you are using a shared computer, be sure to close your browser and log out when you finish your session.What is the difference between go.teragrid.org and cilogon.org?The https://go.teragrid.org/ site supports campus login to TeraGrid by issuing certificates based on InCommon authentication. To use https://go.teragrid.org/, you must have an active TeraGrid account. The CILogon Service (https://cilogon.org) issues certificates to other users of NSF CyberInfrastructure who are not necessarily TeraGrid users. Therefore, if you are a TeraGrid user, we recommend using go.teragrid.org, and if you are not a TeraGrid user, we recommend using cilogon.org. To become a TeraGrid user, contact your local campus champion.
Another difference is that all certificates issued by go.teragrid.org are accredited by the International Grid Trust Federation (IGTF) for worldwide acceptance, whereas cilogon.org can only issue IGTF accredited certificates for InCommon Silver identities. Other certificates issued by cilogon.org (based on InCommon "basic" or OpenID authentication) are not eligible for IGTF accreditation, due to their lower level of assurance.
What is the validity period (lifetime) of my CILogon certificate?The CILogon Service (https://cilogon.org) issues certificates valid for up to 13 months according to IGTF guidelines.
Does CILogon support certificate revocation?Yes, CILogon publishes up-to-date certificate revocation lists (CRLs) at http://crl.cilogon.org/. We recommend caching CILogon CRLs for no longer than one day. If for any reason you require a certificate to be revoked, please contact ca@cilogon.org.Is it safe to use CILogon certificates on shared systems?Yes, it is possible to use certificates safely on shared systems. Just be sure to check that any files containing certificates and private keys have proper permissions set (i.e., are not "world readable"). Once you are done using a certificate, it is good practice to remove any copies of the certificate and private key that you have.Why did my CILogon certificate subject change?Your certificate subject is displayed at the top of the page at https://cilogon.org after you log in. This is your identity, and it should generally stay the same over time. However, if you change your identity provider or if your identifying information changes (i.e., your name or email address changes), CILogon will generate a new certificate subject for you. When this happens, CILogon will show a page that says, "Your new certificate subject is..." Then when you use your new certificate at other sites, the sites may have difficulty identifying you, because they knew your old certificate subject but not your new one. You will likely need to re-register your certificate subject with the sites you use. For this reason, we strongly recommend that you always use the same identity provider when accessing CILogon, rather than switching between different identity providers. We also recommend to anyone relying on certificates from CILogon (or elsewhere) that they plan for the situation where a person has different certificate subjects (i.e., multiple identities) and provide the ability for people to associate multiple identities with the same "account" at a site or service.Can I download a CILogon certificate to my computer?Yes, after you log on at https://cilogon.org, enter a password for protecting your private key and click the "Get New Certificate" button. This will provide a link to your certificate, which you can select with your right mouse button to download to your computer.
Can I download a CILogon certificate into my web browser?Yes, after you log on at https://cilogon.org and click the "Get New Certificate" button, simply click the link to your certificate and private key when it appears. In most cases this should automatically load your certificate into your browser (Firefox users: please see Using P12 Files with Firefox).
What is a CILogon-enabled Application?Please see: CILogon-enabled Applications.Can I integrate CILogon with my web application or portal?Yes, see Portal Delegation for details.
Where can I find technical and policy information about the CILogon Certification Authorities (CAs)?Technical and policy information about the CILogon CAs is published at http://ca.cilogon.org.
Where can I find CILogon logos and buttons for my web site or presentation?Thank you for helping to spread the word about CILogon. Logos and buttons are available at https://cilogon.org/example.
Can I get host or server certificates from CILogon?Currently we are focused on issuing certificates for people, rather than computers. We recommend obtaining host or server certificates from other CAs in the International Grid Trust Federation or from the InCommon Cert Service.
What is the relationship between CILogon and the InCommon Certificate Service?The CILogon Service (https://cilogon.org) and InCommon Certificate Service both launched in 2010 and currently have no formal relationship. The CILogon Service is focused on providing certificates meeting the needs of cyberinfrastructure projects using federated authentication according to International Grid Trust Federation standards, while the InCommon Certificate Service provides certificates from a commercial CA and currently does not support federated authentication (i.e., the InCommon SAML Federation and the InCommon Certificate Service are independent systems). Jim Basney (CILogon project lead) is actively participating in the development of the InCommon Certificate Service, and we hope to develop a stronger relationship between the CILogon and InCommon certificate services in the future.How does CILogon interoperate internationally?The CILogon Service (https://cilogon.org) is primarily intended to serve users of NSF CyberInfrastructure (CI) in the USA. The primary method of authenticating to the CILogon Service is via the USA's national InCommon Federation. However, the CILogon Service is open to all users, including those outside the USA. InCommon member ProtectNetwork provides free accounts that you can use with the CILogon Service. Also, the CILogon Service accepts OpenID authentication.
We actively participate in the International Grid Trust Federation (IGTF), though The Americas Grid Policy Management Authority (TAGPMA), to enable international certificate interoperability. The CILogon Silver CA is accredited by IGTF, enabling acceptance by CI projects worldwide. Likewise, other IGTF-accredited CAs around the world interoperate with CI in the USA. For example, the TERENA Certificate Service supports CI users in Europe.
Additionally, international interoperability between national research federations is an active work area for the REFEDs collaboration.
How do I test that my campus identity provider works with the CILogon Service?Visit https://cilogon.org/secure/testidp/. You will be prompted to authenticate at your campus identity provider (in some cases after selecting your campus from the list at the InCommon "where are you from" page). If your authentication is successful, the CILogon Service will display a page indicating whether your campus identity provider made the required attributes available for you, and if applicable, you will have the option to add your campus identity provider to the drop-down list on the CILogon Service (https://cilogon.org) front page.Where can I find the SAML metadata for the CILogon Service?The CILogon Service is an InCommon member. Our SAML metadata is published by InCommon at http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml. See http://www.incommon.org/metadata.html for more details.Why should I use the CILogon Service?
The CILogon Service (https://cilogon.org) provides a bridge from campus authentication, via the InCommon Federation, to certificate-based research cyberinfrastructure (CI). |
| Location | Description |
|---|---|
| https://cilogon.org/?skin=default | The default CILogon interface. Use this URL to reset your skin back to the default. |
| https://cilogon.org/?skin=all | This skin shows all optional CILogon features. |
| https://cilogon.org/?skin=jws | This skin demonstrates the Java Web Start certificate downloader. |
| https://cilogon.org/?skin=code | This skin demonstrates Activation Codes for CILogon-enabled Applications. |
| https://cilogon.org/?skin=OOI | This skin provides a customized interface for Ocean Observatories Initiative users. |
My question isn't answered here. How can I get more information?
Please contact us at help@cilogon.org.