CILogon (https://cilogon.org) enables users to authenticate with their home organization and obtain a certificate for secure access to CyberInfrastructure (CI). CILogon also provides a gateway from campus SAML authentication to the OIDC protocol used by CI. More information about using campus authentication for access to CI, including the role that the CILogon Service plays, is provided in the Roadmap for Using NSF Cyberinfrastructure with InCommon.
The CILogon 2.0 project (January 2016 - December 2018) is integrating the CILogon Service with COmanage for collaborative organization management.
The CILogon Service is a member of InCommon, a federation of over 200 universities, agencies, and organizations. Many of these organizations maintain an authentication service to provide their users with web single sign-on. An InCommon member organization can partner with the CILogon Service to provide user information for the purpose of issuing certificates. These certificates can then be used for accessing cyberinfrastructure resources.
The CILogon Service is implemented by a web application, with a back-end MyProxy CA, that uses InCommon (SAML) for authentication. Users authenticate to CILogon via the SAML protocol using their campus credentials. The InCommon federation publishes public keys for identity providers (i.e., campuses) and service providers (i.e., CILogon) so they can trust each other. CILogon takes the user information (name, email, unique ID) from the SAML assertion issued by the campus, asks the MyProxy CA to issue a certificate containing that information, and delivers the certificate to the user. CILogon provides a few different interfaces for issuing certificates: web browser, command-line, and OAuth/OIDC. Via the OIDC interface, CILogon can issue JSON ID tokens instead of or in addition to X.509 certificates.
Select an identity provider from the list at https://cilogon.org, then click the
"Log On" button. Your web browser will be redirected to your identity provider's login page. After you authenticate with your identity provider as you typically would, your web browser will be redirected back to CILogon. Then you will be able to obtain a
certificate for use with cyberinfrastructure resources.
If you don't have an account with any of the organizations listed at https://cilogon.org, please make a request for your organization to appear in the list of available organizations. Identity Provider administrators can view the InCommon Participant Operational Practices document for the CILogon Service and then test and add their identity provider to the CILogon Service according to the procedure for adding a new identity provider.InCommon Participants page for the most up-to-date information on InCommon federation membership. If your university is not yet a member of InCommon, contact us and we can work together to encourage your university IT group to join. If your university is a member, check the InCommon Identity Providers listing to see if your university operates an identity provider.
Yes, the CILogon Service supports the use of OpenID in addition to InCommon authentication. Many users have an OpenID account without even knowing it. For example, you can use your Google account for OpenID authentication. However, the certificates issued to OpenID users may be accepted by fewer cyberinfrastructure resource providers than those issued to InCommon users (see the Relying Parties page for details).
Yes, as part of InCommon becoming operational with eduGAIN, CILogon will begin to accept international identity providers in 2016.
Due to CILogon's accreditation by the Interoperable Global Trust Federation, CILogon certificates are accepted by many CI projects. For the current status of CILogon certificate use, please see http://ca.cilogon.org/rp and/or contact firstname.lastname@example.org.
https://cilogon.org) are standard RFC 5280 X.509 end entity certificates, specifically designed to work with the wide variety of software packages that already support certificates. For specific tips and pointers for using CILogon certificates with different applications, see the Using Certificates page.
See the CILogon CA Downloads page.
The CILogon Service (https://cilogon.org) supports browser-based authentication methods (InCommon and OpenID) for obtaining certificates. Once you have downloaded your certificate, you can use it outside your web browser. The CILogon Service also supports the SAML Enhanced Client Profile (ECP) for non-browser access, for those identity providers that support it. Please see http://www.cilogon.org/ecp for details.
The go.teragrid.org service (retired in 2013) supported campus login to TeraGrid by issuing certificates based on InCommon authentication to users with an active TeraGrid account. The CILogon Service (https://cilogon.org) issues certificates to any CyberInfrastructure user, not just TeraGrid users. CILogon is now supported by XSEDE, the follow-on to TeraGrid.
The CILogon Service (https://cilogon.org) issues certificates valid for up to 13 months (9516 hours) according to IGTF guidelines.
http://crl.cilogon.org/. We recommend caching CILogon CRLs for no longer than one day. If for any reason you require a certificate to be revoked, please contact email@example.com://cilogon.org after you log in. This is your identity, and it should generally stay the same over time. However, if you change your identity provider or if your identifying information changes (i.e., your name or email address changes), CILogon will generate a new certificate subject for you. When this happens, CILogon will show a page that says, "Your new certificate subject is..." Then when you use your new certificate at other sites, the sites may have difficulty identifying you, because they knew your old certificate subject but not your new one. You will likely need to re-register your certificate subject with the sites you use. For this reason, we strongly recommend that you always use the same identity provider when accessing CILogon, rather than switching between different identity providers. We also recommend to anyone relying on certificates from CILogon (or elsewhere) that they plan for the situation where a person has different certificate subjects (i.e., multiple identities) and provide the ability for people to associate multiple identities with the same "account" at a site or service.
Yes, after you log on at https://cilogon.org, enter a password for protecting your private key and click the "Get New Certificate" button. This will provide a link to your certificate, which you can select with your right mouse button to download to your computer.
Yes, after you log on at https://cilogon.org and click the "Get New Certificate" button, simply click the link to your certificate and private key when it appears. In most cases this should automatically load your certificate into your browser (Firefox users: please see Using P12 Files with Firefox).
Yes, see Portal Delegation for details.
Where can I find technical and policy information about the CILogon Certification Authorities (CAs)?
Technical and policy information about the CILogon CAs is published at http://ca.cilogon.org.
Thank you for helping to spread the word about CILogon. Logos and buttons are available at https://cilogon.org/example.
CILogon is primarily focused on issuing certificates for people, rather than computers. We recommend obtaining host or server certificates from other CAs in the Interoperable Global Trust Federation or from the InCommon Cert Service. The OSG CA uses CILogon as a back-end service.https://cilogon.org) and InCommon Certificate Service both launched in 2010 and currently have no formal relationship. The CILogon Service is focused on providing user certificates meeting the needs of cyberinfrastructure projects using federated authentication according to Interoperable Global Trust Federation standards, while the InCommon Certificate Service provides certificates from a commercial CA and currently does not support federated authentication (i.e., the InCommon SAML Federation and the InCommon Certificate Service are independent systems). The InCommon IGTF Server CA provides IGTF accredited server certificates, whereas CILogon provides IGTF accredited user certificates.
The primary method of authenticating to the CILogon Service is via the USA's national InCommon Federation. However, the CILogon Service is open to all users, including those outside the USA. The CILogon Service accepts OpenID authentication (via the Google identity provider). Also, as part of InCommon becoming operational with eduGAIN, CILogon will begin to accept international identity providers in 2016.
We actively participate in the Interoperable Global Trust Federation (IGTF), through The Americas Grid Policy Management Authority (TAGPMA), to enable international certificate interoperability. The CILogon Silver CA and CILogon Basic CA are accredited by IGTF, enabling acceptance by CI projects worldwide. Likewise, other IGTF-accredited CAs around the world interoperate with CI in the USA. For example, the TERENA Certificate Service supports CI users in Europe.
Additionally, international interoperability between national research federations is an active work area for the REFEDs collaboration.https://cilogon.org/testidp/. You will be prompted to authenticate at your campus identity provider (in some cases after selecting your campus from the list at the InCommon "where are you from" page). If your authentication is successful, the CILogon Service will display a page indicating whether your campus identity provider made the required attributes available for you, and if applicable, you will have the option to add your campus identity provider to the drop-down list on the CILogon Service (https://cilogon.org) front page.
Most CILogon preferences (such as your choice of identity provider) are set in browser cookies. Visit https://cilogon.org/me/ to manage your CILogon browser cookies.
Visit https://cilogon.org/me/ to manage your CILogon browser cookies.InCommon member. Our SAML metadata is published by InCommon at http://md.incommon.org/InCommon/InCommon-metadata.xml. See https://www.incommon.org/federation/metadata.html for more details. https://cilogon.org) provides a bridge from campus authentication, via the InCommon Federation, to certificate-based and OIDC-based research cyberinfrastructure (CI).
Much CI today is certificate-based, because certificates are a powerful, well-established, standard authentication mechanism. A wide variety of software supports certificates (see the Using Certificates page), and certificates support many usage modes, including web browser, email client, command-line client, non-interactive workflows, and delegation (via RFC 3820 proxy certificates). The scientific community has made a significant investment in certificate-base infrastructures.
Using the InCommon Federation and campus authentication means that CI users and providers don't need to manage CI-specific passwords. While federated authentication may be an unfamiliar technology, it can simplify the management and provisioning of user credentials. Rather than deploying another identity management system to meet a specific CI need, we can work together to improve the capabilities provided by the InCommon Federation to the benefit of the national academic community. The InCommon Federation is well-established, is growing, and builds on the high-quality, local identity management processes already present on university campuses serving the academic research community. Using common security mechanisms such as federated authentication and certificates can also enable collaborations across CI providers and internationally.
Also, CI that supports the OpenID Connect (OIDC) protocol for authentication can use CILogon as a bridge from campus SAML authentication.
We recommend evaluating whether to accept campus authentication directly via the InCommon Federation or to use CILogon as an intermediary according to your particular circumstances. We'd be happy to discuss with you whether CILogon is a good fit for your needs.
https://cilogon.org) uses open source software from the GridShib and MyProxy projects, with source code and software downloads hosted at SourceForge. You could use this software to deploy your own instance(s) of the CILogon Service, customized for your needs. However, the CILogon project has already invested in providing a reliable, professionally managed, TAGPMA/IGTF accredited service at https://cilogon.org, which we recommend CI projects to use, rather than duplicating our operational effort. As always, we'd be happy to discuss different hosting options with you.
Please see: Outages
Please subscribe to the firstname.lastname@example.org group.
CILogon certificates contain two stable user identifiers that can be used for authorization purposes:
If the user authenticates with their CILogon certificate when their account is created, you can associate the Subject Distinguished Name and/or ePPN values with the account at creation time. Otherwise, if the user has an existing account, it is necessary to require the user to first authenticate with their existing local account credentials, then authenticate with their CILogon certificate, to establish the binding. For example, the XSEDE User Portal allows users to link their CILogon certificates with XSEDE accounts this way.
Install GSI-OpenSSH. Install the CILogon CA certificates in /etc/grid-security/certificates, either manually from http://ca.cilogon.org/downloads or using the IGTF, OSG, or XSEDE CA certificate distributions. Create local accounts for the users. Add /etc/grid-security/grid-mapfile entries for the users mapping their CILogon certificate subject DNs to their local accounts.
Please see the documentation for the CILogonIdentityProvider option in the Globus Resource Provider Guide. This option uses the eduPersonPrincipalName (ePPN) value provided by your Identity Provider and included in your CILogon certificate to determine the username at the Globus endpoint. Visit https://cilogon.org/testidp/ to verify that your Identity Provider provides the needed ePPN attribute.
No, the CILogon Service uses MyProxy internally, but you don't need additional MyProxy software to use the CILogon Service. The CILogon Service operates its own MyProxy servers configured as CAs to issue certificates based on federated authentication.
Please contact us at email@example.com.