CILogon 2.0 IAM Online Webinar Jan 17 2pm ET

posted Jan 8, 2018, 7:57 AM by Jim Basney   [ updated Jan 8, 2018, 7:58 AM ]

CILogon 2.0 will be the topic of this month's IAM Online webinar on Wednesday, January 17 at 2pm ET. Jim Basney and Scott Koranda will present the latest updates from the CILogon 2.0 project, highlighting campus use cases, operational experiences/plans, and recent scientific application integration successes. Visit for connection details.

The community webinar calendar is full of interesting webinars this month, including:

CILogon 2.0 CINC UP Webinar - Fri Jun 16 12pm ET

posted Jun 15, 2017, 6:55 AM by Jim Basney   [ updated Jun 15, 2017, 6:56 AM ]

Please join us for a presentation about the CILogon 2.0 service on the Internet2 Collaborative Innovation Community CINC UP webinar on Friday, June 16 at 12pm ET. If you are unable to join in person, a recording will be available, along with the slides, on the CINO Collaborative Innovation Community Wiki.

Adobe Connect Information:
Conference Call Connection Information:
Dial-in: +1-734-615-7474 or +1-866-411-0013
Participant Access Code: 0108581#

Please note that when you call into the phone bridge you will be automatically muted until we open the lines for active participation. Once the phone lines are open please make sure that your computers are muted to avoid feedback.

Log On with ORCID

posted Jun 12, 2017, 9:41 AM by Jim Basney   [ updated Jun 12, 2017, 9:41 AM ]

ORCID provides a persistent digital identifier that distinguishes you from other researchers. Learn more at
Today we added ORCID to the list of identity providers at ORCID is an independent non-profit effort to provide an open registry of unique researcher identifiers and open services to link research activities and organizations to these identifiers. Researchers who do not have a home identity provider that works with CILogon can register for an ORCID iD (if they haven't already) for use with CILogon and many other ORCID-enabled systems.

This is just a first step for CILogon's integration with ORCID. Soon CILogon will also offer the ability for VOs to link ORCID iDs to campus and VO identities using COmanage, as part of our CILogon 2.0 work.

CILogon Supports Sirtfi

posted Apr 17, 2017, 1:34 PM by Jim Basney   [ updated Apr 17, 2017, 1:35 PM ]

CILogon now officially supports the Security Incident Response Trust Framework for Federated Identity (Sirtfi). As part of InCommon's Sirtfi Proof of Concept (see: FAQ), InCommon tagged CILogon as Sirtfi-compliant in federation metadata. Hosted by NCSA at the University of Illinois, CILogon benefits from the operational security and incident response capabilities of NCSA Cybersecurity. CILogon's compliance with Interoperable Global Trust Federation standards helped to prepare for meeting the Sirtfi standards. As a Sirtfi-compliant service provider, CILogon checks for a corresponding tag of Sirtfi-compliance in metadata for identity providers. Visit the eduGAIN Entities Database to see if your identity provider supports Sirtfi. If it does, CILogon thanks you! If not, please don't delay! As always, contact for assistance.

CILogon Service Update

posted Mar 28, 2017, 6:54 AM by Terry Fleury

CILogon is pleased to announce a service update to Changes to the CILogon service include the following.

User-Facing Changes

  • New GitHub Support: You can now use a GitHub account to log on to CILogon. GitHub logons will be issued certificates from the CILogon OpenID CA. For CILogon clients that currently use a 'skin' to prevent the use of Google authentications (e.g., Globus), CILogon will also prevent the use of GitHub authentications. CILogon client administrators can contact to enable GitHub authentications for their ‘skin’ configuration.

  • New Google OAuth2 Library: When using Google as your selected Identity Provider (IdP), if you are signed in to just a single Google Account, you will not be prompted to choose a Google Account.

  • Better Single Sign On Handling: When using an OAuth flow (e.g., from a clients such as Globus), the authentication with your chosen IdP is remembered so that future uses of CILogon with that same IdP do not redirect to the IdP.

  • LIGO Secondary IdPs: Users of backup LIGO IdPs (e.g., now appear to CILogon as users of the standard LIGO IdP (i.e., However, LIGO users should not notice any functional difference.

  • OAuth2 Response Mode Handling: For the OAuth 2.0 flow, CILogon now handles response_mode=form_post to support MediaWiki.

  • OAuth2/OpenID Connect (OIDC) Identifier Claim: For the OAuth 2.0 flow, authentications with external OAuth2 IdPs (Google, GitHub) now issue the IdP unique identifier in the "oidc" claim when requesting the "org.cilogon.userinfo" scope.

  • Signed OIDC Tokens: ID tokens are now signed as required by the OpenID Connect specification.

Internal Changes

  • CILogon PHP library code has been refactored to comply with PSR-2 (Coding Style) and PSR-4 (Autoloader) standards. This will enable the CILogon code repository to move from to

  • All third party libraries are now included using PHP Composer. This allows CILogon to (1) specify the version number of the included libraries and (2) easily update to newer library versions as needed.

  • Code comments have been reformatted to be compatible with PHPDoc.

  • Several Java servlet code bugs have been fixed.

Expanding the CILogon IdP List

posted Aug 29, 2016, 11:15 AM by Jim Basney   [ updated Aug 29, 2016, 11:15 AM ]

We'll be expanding the list of identity providers (IdPs) at in September 2016 to include an initial set of international (eduGAIN) IdPs and all InCommon IdPs.

International IdPs

One of the goals of the CILogon 2.0 project is to improve CILogon's support for international research collaborations by supporting international IdPs. Following a TAGPMA policy review in July, CILogon is now ready to begin accepting international IdPs that support the REFEDS Research and Scholarship (R&S) category and the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi). The R&S and Sirtfi prerequisites are in place to satisfy IGTF traceability and uniqueness requirements. Initially this will enable CILogon to support the CERNNikhef, and Uppsala Universitet IdPs, which are early adopters of Sirtfi, with more to follow soon. InCommon is also beginning a Sirtfi Proof of Concept effort.

InCommon IdPs

Currently lists over 180 InCommon IdPs. This IdP list has grown steadily since the CILogon service began operation in 2010, as illustrated in the following chart.

These InCommon IdPs have declared support for the Research and Scholarship category and/or have used the "Add Your IdP" button at This represents a subset of the over 400 IdPs operated by InCommon participantsWe originally restricted CILogon's IdP list to this subset in an effort to avoid errors such as missing user attributes (i.e., the user's name and email address). However, restricting the IdP list failed to eliminate the errors for a variety of reasons, including differing attribute management policies/procedures across different user categories (faculty, staff, students, alumni, affiliates, etc.). It also made it more difficult for users from other IdPs to log on to CILogon, since they wouldn't find their IdP on the list and would be unsure about using the "Add Your IdP" button.

Therefore, acting on advice from InCommon and REFEDS participants, we've decided to begin listing all InCommon IdPs at, to make it easier for users to attempt to log on with their home IdP. In case of missing user attributes or other problems, we've updated the CILogon error page to provide a link for users to report the problem directly to their IdP operators:

In many cases, the IdP operators can resolve the problem working directly with the user without requiring CILogon operators in the middle. However, is also copied on each message, and we're always glad to help. For CILogon to scale up to hundreds of IdPs, it's important for us to enable self-service troubleshooting by users and IdP operators. The page provides additional troubleshooting information.

Any comments or questions? Please contact us at

CILogon Enables Streamlined InCommon Login to Globus

posted Feb 15, 2016, 6:48 AM by Jim Basney   [ updated Feb 15, 2016, 6:48 AM ]

On February 13, Globus released their new enhanced login method that supports InCommon campus identities via CILogon's OIDC interface. Now Globus users do not need to create a separate Globus username and password for access to Globus services. Instead, Globus users can select their campus identity provider directly from the Globus login screen, taking advantage of CILogon OIDC's new selected_idp parameter. CILogon enables use of InCommon identities throughout the new Globus Auth platform.

CILogon Supports OpenID Connect for Federated Authentication to Cyberinfrastructure

posted Jan 20, 2016, 10:36 AM by Jim Basney   [ updated Jan 20, 2016, 10:36 AM ]

CILogon's new OpenID Connect (OIDC) interface enables cyberinfrastructure (CI), such as Jetstream (via Globus Auth) and Ocean Observatories Initiative, to support federated authentication with InCommon identity providers via a standard, RESTful API. OIDC is a simple authentication layer built on the OAuth 2.0 standard that enables CI to easily connect to CILogon using standard client software (such as mod_auth_openidc).

CILogon's OIDC interface includes an optional getcert endpoint for cases that require X.509 certificates. Otherwise, CILogon clients can use standard OIDC tokens and the standard OIDC userinfo endpoint for authentication without needing to generate RSA keys and X.509 certificate requests or parse X.509 certificates. We believe this is a significant improvement over CILogon's existing OAuth 1.0 interface, in terms of both performance and simplicity, and we encourage CI operators using CILogon's OAuth 1.0 interface to upgrade to OIDC.

Obtaining user consent prior to release of personal information is an important component of CILogon's OIDC interface. CILogon supports multiple scopes to allow clients to request only the information they need. The CILogon consent screen (example below) informs users about what information is being requested by whom. CILogon staff manually review each client registration to ensure that CILogon's OIDC interface is only used by cyberinfrastructure in support of academic research.

For more details on CILogon's OIDC interface, visit and/or contact

CILogon 2.0 - An Integrated Identity and Access Management Platform for Science

posted Jan 13, 2016, 6:59 AM by Jim Basney   [ updated Jan 15, 2016, 1:02 PM ]

We are pleased to announce that the CILogon 2.0 project officially launched on January 1, 2016. The project integrates and expands on the existing open source CILogon and COmanage software to provide an integrated identity and access management (IAM) platform for cyberinfrastructure. The platform combines the federated identity management capabilities of CILogon with the collaborative organization management capabilities of COmanage, with an emphasis on supporting international research collaborations via eduGAIN. The 3 year project, funded by NSF award number 1547268, is a collaboration between NCSA and Spherical Cow Group.

The project team recently met at NCSA for our project kick-off meeting:

As illustrated in the design diagram below, the CILogon 2.0 platform will integrate multiple identity sources (InCommon, eduGAIN, Google, ORCID) and support multiple IAM interfaces for science applications (X.509 certificates, OpenID Connect claims, SAML assertions, LDAP attributes).

Please stay tuned to CILogon News for project updates and contact with any questions.

Growing Support for SAML ECP

posted Mar 11, 2015, 11:10 AM by Jim Basney   [ updated Mar 11, 2015, 11:10 AM ]

Recently, the InCommon identity providers (IdPs) at Clemson University and University of Utah enabled support for SAML ECP ("Enhanced Client or Proxy"), which allows for the exchange of SAML attributes outside the context of a web browser. ECP support is very useful for non-browser cyberinfrastructure applications, such as shell-based access to campus computing clusters. CILogon staff worked with the Clemson and Utah IdP operators to verify that their IdPs' ECP support successfully enables access to CILogon certificate issuance outside the browser. In our experience, enabling ECP in current Shibboleth IdP deployments is a relatively straightforward process. This collaborative effort around SAML ECP was supported in part by the FeduShare project (NSF award 1440609), which is designing a system architecture supporting self-managed collaboration and federation of services for scientific research.

In addition to Clemson and Utah, the list of ECP-enabled IdPs working with CILogon includes: LIGO Scientific Collaboration, LTER Network, University of Chicago, University of Illinois at Urbana-Champaign, University of Michigan, University of Washington, and University of Wisconsin-Madison. If you'd like to use SAML ECP with CILogon, please contact us at

1-10 of 90