Frequently Asked Questions
What is CILogon?
CILogon (https://cilogon.org) enables federated access to CyberInfrastructure (CI). CILogon provides a gateway from campus SAML authentication to X.509 certificates and OIDC tokens. More information about using campus authentication for access to CI, including the role that the CILogon Service plays, is provided in the Roadmap for Using NSF Cyberinfrastructure with InCommon. CILogon operations are supported by subscribers.
What is CILogon 2.0?
How does CILogon work?
CILogon is a member of InCommon, a federation of universities and other organizations. Many of these organizations maintain an authentication service to provide their users with web single sign-on. An InCommon member organization can partner with the CILogon Service to provide user information for the purpose of accessing cyberinfrastructure.
CILogon is implemented by a web application, with a back-end MyProxy CA, that uses InCommon (SAML) for authentication. Users authenticate to CILogon via the SAML protocol using their campus credentials. The InCommon federation publishes public keys for identity providers (i.e., campuses) and service providers (i.e., CILogon) so they can trust each other. CILogon takes the user information (name, email, unique ID) from the SAML assertion issued by the campus, asks the MyProxy CA to issue a certificate containing that information, and delivers the certificate to the user. CILogon provides a few different interfaces for issuing certificates: web browser, command-line, and OAuth/OIDC. Via the OIDC (OAuth) interface, CILogon can issue JSON tokens instead of or in addition to X.509 certificates.
How do I use CILogon to obtain an X.509 certificate?
Select an identity provider from the list at https://cilogon.org, then click the "Log On" button. Your web browser will be redirected to your identity provider's login page. After you authenticate with your identity provider as you typically would, your web browser will be redirected back to CILogon. Then you will be able to obtain a certificate for use with cyberinfrastructure resources.
How do I use CILogon for web authentication?
Please see: https://www.cilogon.org/oidc
What attributes, claims, or scopes does each identity provider support?
See https://www.cilogon.org/oidc for a list of claims and scopes that CILogon supports. CILogon will always provide the sub (subject) and iss (issuer) claims, but no other claims are guaranteed to be provided. Different identity providers will provide different attributes to CILogon. Often, a single identity provider will provide different attributes to CILogon for different users (faculty versus students, for example). For more details, please see: What claims can you expect to receive?
How do I use CILogon for JWT (SciTokens, WLCG Tokens, GA4GH Passports) authorization?
Please see: https://www.cilogon.org/jwt
Which identity provider should I select?
Please see: How to Select an Identity Provider
What identity providers does CILogon support?
What should I do if there is a problem with an identity provider?
CILogon staff try to proactively address problems with identity providers, and you are welcome to contact firstname.lastname@example.org for assistance with a specific identity provider, but in most cases, the best course of action is for users to report problems with their campus identity provider via their local IT support channels. CILogon supports over 4000 identity providers around the world, and in our experience, a problem often receives higher priority when it is reported by a local campus member rather than the CILogon team.
Why isn't my identity provider in CILogon's list?
CILogon's list of IdPs (https://cilogon.org/idplist/) comes directly from InCommon federation metadata (https://www.incommon.org/federation/metadata/). In general the list includes all the IdPs registered with InCommon plus all the IdPs that InCommon imports from eduGAIN. An IdP may be missing from the list for the following reasons:
The IdP is not registered with InCommon or exported to eduGAIN. https://technical.edugain.org/entities and https://www.incommon.org/federation/incommon-federation-entities/ are the places to check.
The IdP is marked hide-from-discovery. See: https://spaces.at.internet2.edu/x/DQjvCQ
InCommon dropped the IdP during the eduGAIN import process because it failed a policy check. See: https://spaces.at.internet2.edu/x/YwfvCQ
CILogon has (temporarily) blocked the IdP (very rare). In this case the IdP will be missing from https://cilogon.org/include/idplist.xml.
Does CILogon support additional SAML identity providers?
Yes, in addition to the IdPs from InCommon and eduGAIN, CILogon subscribers have the option of federating their identity provider directly with CILogon. Currently, those additional identity providers are ACCESS CI and Syngenta.
Which identity providers support the REFEDS R&S and SIRTFI Standards?
View https://cilogon.org/include/idplist.xml to see which IdPs conform to https://refeds.org/sirtfi and https://refeds.org/category/research-and-scholarship.
What level of assurance does CILogon support?
InCommon and eduGAIN identity providers implement the REFEDS Assurance standard. CILogon can provide the eduPersonAssurance claim to OIDC clients according to this standard.
Unfortunately, there is no listing of which identity providers support these standards or data on assurance adoption across the federations.
CILogon expects identity providers to assert conformance to these assurance profiles without requiring an explicit SAML RequestedAuthnContext from CILogon. CILogon does not use RequestedAuthnContext because it causes errors at many identity providers.
CILogon previously supported the InCommon Silver and InCommon Bronze level of assurance, but those levels are now obsolete and have been replaced by REFEDS Assurance.
What OAuth Providers does CILogon support?
To the best of our knowledge, none of these Providers support OAuth or OpenID Connect assurance standards.
What is ORCID?
ORCID provides a persistent digital identifier that distinguishes you from every other researcher and, through integration in key research workflows such as manuscript and grant submission, supports automated linkages between you and your professional activities ensuring that your work is recognized. Find out more
How does CILogon use ORCID?
CILogon uses ORCID to allow you to sign into cyberInfrastructure using your ORCID ID. CILogon will confirm your identity using ORCID. If you chose Deny and would like to reconsider, please go back and select ORCID to login. When the authorization screen appears, please choose Authorize. You can revoke access at anytime through your ORCID account settings.
Is my university a member of the InCommon federation?
Visit the InCommon Participants page for the most up-to-date information on InCommon federation membership. If your university is not yet a member of InCommon, contact us and we can work together to encourage your university IT group to join. If your university is a member, check the InCommon Identity Providers listing to see if your university operates an identity provider.
Can I use OpenID with the CILogon Service?
Yes, the CILogon Service supports the use of OpenID in addition to InCommon authentication. Many users have an OpenID account without even knowing it. For example, you can use your Google account for OpenID authentication. However, the certificates issued to OpenID users may be accepted by fewer cyberinfrastructure resource providers than those issued to InCommon users (see the Relying Parties page for details).
Will CILogon work with international identity providers?
Yes, CILogon accepts international identity providers via eduGAIN.
Where can I use my certificate from CILogon?
Due to CILogon's accreditation by the Interoperable Global Trust Federation, CILogon certificates are accepted by many CI projects. For the current status of CILogon certificate use, please see http://ca.cilogon.org/rp and/or contact email@example.com.
How do I use my certificate from CILogon?
The certificates issued by the CILogon Service (https://cilogon.org) are standard RFC 5280 X.509 end entity certificates, specifically designed to work with the wide variety of software packages that already support certificates. For specific tips and pointers for using CILogon certificates with different applications, see the Using Certificates page.
How do I install CILogon CA certificates?
See the CILogon CA Downloads page.
Do I need to use a web browser to get my CILogon certificate?
The CILogon Service (https://cilogon.org) supports browser-based authentication methods (InCommon and OpenID) for obtaining certificates. Once you have downloaded your certificate, you can use it outside your web browser. The CILogon Service also supports the SAML Enhanced Client Profile (ECP) for non-browser access, for those identity providers that support it. Please see http://www.cilogon.org/ecp for details.
Do I need to enter my campus password every time I use the CILogon Service?
Both the CILogon Service and campus identity providers set session cookies in your browser to reduce the number of times during the day that you are prompted for your password. Policies vary across campuses, but in general, if you do not close your browser, you should typically only need to log in at to your campus identity provider once per session, providing "single sign-on" across different InCommon services and different uses of the CILogon Service. If you are using a shared computer, be sure to close your browser and log out when you finish your session.
What is the difference between go.teragrid.org and cilogon.org?
The go.teragrid.org service (retired in 2013) supported campus login to TeraGrid by issuing certificates based on InCommon authentication to users with an active TeraGrid account. The CILogon Service (https://cilogon.org) issues certificates to any CyberInfrastructure user, not just TeraGrid users. CILogon is now supported by XSEDE, the follow-on to TeraGrid.
What is the validity period (lifetime) of my CILogon certificate?
Does CILogon support certificate revocation?
Yes, CILogon publishes up-to-date certificate revocation lists (CRLs) at http://crl.cilogon.org/. We recommend caching CILogon CRLs for no longer than one day. If for any reason you require a certificate to be revoked, please contact firstname.lastname@example.org.
Is it safe to use CILogon certificates on shared systems?
Yes, it is possible to use certificates safely on shared systems. Just be sure to check that any files containing certificates and private keys have proper permissions set (i.e., are not "world readable"). Once you are done using a certificate, it is good practice to remove any copies of the certificate and private key that you have.
Why did my CILogon certificate subject change?
Your certificate subject is displayed at the top of the page at https://cilogon.org after you log in. This is your identity, and it should generally stay the same over time. However, if you change your identity provider or if your identifying information changes (i.e., your name or email address changes), CILogon will generate a new certificate subject for you. When this happens, CILogon will show a page that says, "Your new certificate subject is..." Then when you use your new certificate at other sites, the sites may have difficulty identifying you, because they knew your old certificate subject but not your new one. You will likely need to re-register your certificate subject with the sites you use. For this reason, we strongly recommend that you always use the same identity provider when accessing CILogon, rather than switching between different identity providers. We also recommend to anyone relying on certificates from CILogon (or elsewhere) that they plan for the situation where a person has different certificate subjects (i.e., multiple identities) and provide the ability for people to associate multiple identities with the same "account" at a site or service.
Can I download a CILogon certificate to my computer?
Yes, after you log on at https://cilogon.org, enter a password for protecting your private key and click the "Get New Certificate" button. This will provide a link to your certificate, which you can select with your right mouse button to download to your computer.
Can I download a CILogon certificate into my web browser?
Yes, after you log on at https://cilogon.org and click the "Get New Certificate" button, simply click the link to your certificate and private key when it appears. In most cases this should automatically load your certificate into your browser (Firefox users: please see Using P12 Files with Firefox).
Can I integrate CILogon with my web application or portal?
Yes, see OIDC for details.
Where can I find technical and policy information about the CILogon Certification Authorities (CAs)?
Technical and policy information about the CILogon CAs is published at http://ca.cilogon.org.
How do I obtain a CILogon Silver certificate?
Log on at https://cilogon.org/ and look for "Level of Assurance: Silver" on the certificate download screen. If instead you see "Level of Assurance: Basic" then the authentication attributes from your identity provider do not meet the Silver Policy requirements. To check, visit https://test.cilogon.org/testidp/ and Log On. In the list of SAML Attributes shown, confirm that Level of Assurance contains https://refeds.org/assurance/profile/cappuccino and AuthnContextClassRef contains https://refeds.org/profile/sfa or https://refeds.org/profile/mfa. If it doesn't, look in the list of Metadata Attributes for the Support Contact for your identity provider and contact them for assistance.
In the case of the XSEDE IdP, Level of Assurance will contain https://refeds.org/assurance/profile/cappuccino only if you are on an active allocation as shown at https://portal.xsede.org/allocations/usage.
Where can I find CILogon logos and buttons for my web site or presentation?
Thank you for helping to spread the word about CILogon. Logos and buttons are available at https://cilogon.org/example.
Can I get host or server certificates from CILogon?
CILogon is primarily focused on issuing certificates for people, rather than computers. We recommend obtaining host or server certificates from other CAs in the Interoperable Global Trust Federation or from the InCommon Cert Service. The OSG CA uses CILogon as a back-end service.
What is the relationship between CILogon and the InCommon Certificate Service?
The CILogon Service (https://cilogon.org) and InCommon Certificate Service both launched in 2010 and currently have no formal relationship. The CILogon Service is focused on providing user certificates meeting the needs of cyberinfrastructure projects using federated authentication according to Interoperable Global Trust Federation standards, while the InCommon Certificate Service provides certificates from a commercial CA. The InCommon IGTF Server CA provides IGTF accredited server certificates, whereas CILogon provides IGTF accredited user certificates.
How does CILogon interoperate internationally?
The primary method of authenticating to the CILogon Service is via the USA's national InCommon Federation. However, the CILogon Service is open to all users, including those outside the USA. The CILogon Service accepts OpenID authentication (via the Google identity provider). Also, as part of InCommon becoming operational with eduGAIN, CILogon will begin to accept international identity providers in 2016.
We actively participate in the Interoperable Global Trust Federation (IGTF), through The Americas Grid Policy Management Authority (TAGPMA), to enable international certificate interoperability. The CILogon Silver CA and CILogon Basic CA are accredited by IGTF, enabling acceptance by CI projects worldwide. Likewise, other IGTF-accredited CAs around the world interoperate with CI in the USA. For example, the TERENA Certificate Service supports CI users in Europe.
Additionally, international interoperability between national research federations is an active work area for the REFEDs collaboration.
How do I test that my campus identity provider works with CILogon?
Visit https://cilogon.org/testidp/. You will be prompted to authenticate at your campus identity provider (in some cases after selecting your campus from the list at the InCommon "where are you from" page). If your authentication is successful, the CILogon Service will display a page indicating whether your campus identity provider made the required attributes available for you, and if applicable, you will have the option to add your campus identity provider to the drop-down list on the CILogon Service (https://cilogon.org) front page.
How can I modify or reset my CILogon preferences?
Most CILogon preferences (such as your choice of identity provider) are set in browser cookies. Visit https://cilogon.org/me/ to manage your CILogon browser cookies.
How can I view and delete browser cookies set by the CILogon?
Visit https://cilogon.org/me/ to manage your CILogon browser cookies. Click the "Delete ALL" button to delete the session and persistent cookies specific to CILogon.
One of my user attributes was deleted at my Identity Provider, but CILogon still asserts the user attribute. Why?
When a user attribute is asserted by an Identity Provider to CILogon, that user attribute is stored in the CILogon database. Database attributes are never erased, only overwritten by new, non-empty values asserted by the Identity Provider. If you would like to remove one of your user attributes from the CILogon database, please contact email@example.com. Note however that this may affect downstream third parties which rely on your user attributes. To view user attributes asserted by your Identity Provider, visit https://cilogon.org/testidp/.
Where can I find the SAML metadata for CILogon?
CILogon is an InCommon member. Our SAML metadata is published by InCommon at http://md.incommon.org/InCommon/InCommon-metadata.xml. See https://www.incommon.org/federation/metadata/ for more details. Here is a direct link to the CILogon metadata from InCommon's Metadata Query Service: https://mdq.incommon.org/entities/https%3A%2F%2Fcilogon.org%2Fshibboleth
Why should I use CILogon?
Using the InCommon Federation and campus authentication means that CI users and providers don't need to manage CI-specific passwords. While federated authentication may be an unfamiliar technology, it can simplify the management and provisioning of user credentials. Rather than deploying another identity management system to meet a specific CI need, we can work together to improve the capabilities provided by the InCommon Federation to the benefit of the national academic community. The InCommon Federation is well-established, is growing, and builds on the high-quality, local identity management processes already present on university campuses serving the academic research community. Using common security mechanisms such as federated authentication and certificates can also enable collaborations across CI providers and internationally.
Also, CI that supports the OpenID Connect (OIDC) protocol for authentication can use CILogon as a bridge from campus SAML authentication.
We recommend evaluating whether to accept campus authentication directly via the InCommon Federation or to use CILogon as an intermediary according to your particular circumstances. We'd be happy to discuss with you whether CILogon is a good fit for your needs.
Can I run my own CILogon instance?
CILogon (https://cilogon.org) is Open Source software. All CILogon source code is at https://github.com/cilogon/. You could use this software to deploy your own instance(s) of the CILogon Service, customized for your needs. However, the CILogon project has already invested in providing a reliable, professionally managed, IGTF accredited and REFEDS R&S certified service at https://cilogon.org, which we recommend CI projects to use, rather than duplicating our operational effort. As always, we'd be happy to discuss different hosting options with you.
Can you provide a custom CILogon instance for my project?
CILogon supports customization for more seamless integration with different cyberinfrastructures. Customization options include "skins" (available as part of Essential and Full Service subscriptions) that change the appearance and behavior of the CILogon web site tailored to the needs of specific CI communities. We understand the importance of a consistent look-and-feel for the user experience and that it can be jarring for users to be redirected between a CI project web site, the CILogon web site, and a University authentication site, each with their own color schemes, icons, and layout. Please contact us for more information about customization options.
What CILogon customization options are available?
CILogon "skins" are selected by including a "skin" (or "vo") parameter in the URL. Here are some examples:
https://cilogon.org/default - The default CILogon interface. Use this URL to reset your skin back to the default.
How can I customize how CILogon integrates with my application?
For Essential and Full Service subscribers, CILogon supports many customization options including:
Custom IdP list and default selected IdP
Custom OIDC claims
Bypass CILogon IdP selection screen
Please don't hesitate to contact firstname.lastname@example.org to request custom behavior for your application.
How can I be notified of CILogon service outages/downtime?
Please see: Outages
How can I be notified when new identity providers are added to CILogon?
Send email to email@example.com to subscribe to the firstname.lastname@example.org group. Be sure to allow email from email@example.com . To unsubscribe, send email to firstname.lastname@example.org . Updates typically occur weekdays 3p-4p Central time.
How can I link a user's CILogon certificate to their local account?
CILogon certificates contain two stable user identifiers that can be used for authorization purposes:
The Subject Distinguished Name (for example: "/DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534") is a globally unique identifier that CILogon assigns to the authenticated user. It changes only if the user's name, email address, or campus identifier changes (see "Why did my CILogon certificate subject change?" above).
The eduPersonPrincipalName (ePPN) is the globally unique identifier for the user provided by the campus identity provider. The eduPerson specification provides more details about this identifier. CILogon includes the ePPN in a certificate extension (OID: 18.104.22.168.4.1.5922.214.171.124.6), encoded as ASN.1 UTF8String value.
If the user authenticates with their CILogon certificate when their account is created, you can associate the Subject Distinguished Name and/or ePPN values with the account at creation time. Otherwise, if the user has an existing account, it is necessary to require the user to first authenticate with their existing local account credentials, then authenticate with their CILogon certificate, to establish the binding. For example, the XSEDE User Portal allows users to link their CILogon certificates with XSEDE accounts this way.
How do I configure GSISSH to accept CILogon certificates?
Install GSI-OpenSSH. Install the CILogon CA certificates in /etc/grid-security/certificates, either manually from http://ca.cilogon.org/downloads or using the IGTF, OSG, or XSEDE CA certificate distributions. Create local accounts for the users. Add /etc/grid-security/grid-mapfile entries for the users mapping their CILogon certificate subject DNs to their local accounts.
How do I configure a Globus endpoint for CILogon authentication?
Please see the Globus documentation. Globus endpoints can use the eduPersonPrincipalName (ePPN) value provided by your Identity Provider for authorization. Visit https://cilogon.org/testidp/ to verify that your Identity Provider provides the needed ePPN attribute.
How does CILogon relate to Globus Auth?
Globus Auth provides identity, profile, and group management as part of the Globus Service Platform. Globus Auth implements InCommon authentication via CILogon's OAuth interface. In this way, cyberinfrastructure such as OSG Connect and DOE KBase gain access to CILogon services by integrating with Globus Auth. Thus, Globus Auth subscribers benefit from CILogon 2.0 enhancements, particularly support for international identity providers. While Globus Auth provides identity linking and group management capabilities, we believe the group management provided by COmanage in the CILogon 2.0 platform introduces added benefits. COmanage provides significant flexibility in enrollment workflows, a robust plugin model, and standard interfaces to LDAP and SAML. Unlike Globus Auth, the CILogon 2.0 platform, including COmanage, is open source.
Do I need to run a MyProxy server to use the CILogon Service?
No, the CILogon Service uses MyProxy internally, but you don't need additional MyProxy software to use the CILogon Service. The CILogon Service operates its own MyProxy servers configured as CAs to issue certificates based on federated authentication.
Why does CILogon complain about missing attributes when I log in with ORCID?
CILogon requires Identity Providers to release several attributes about you, in some cases including your name and email address. ORCID enables users to configure their profile to have attributes which are public or private. Typically the "missing attributes" error is caused by your primary email address having private access. You can verify publicly-viewable attributes by going to https://orcid.org/my-orcid and clicking the "Public record print view" link. If you do not see an email address there, you need to change permissions by clicking the pencil icon (🖉) near the "Emails" section. This will pop up a new window which will allow you to change the permissions for your primary email account to be seen by everyone. For example:
Will CILogon receive my email address from ORCID if I set it to "viewable by trusted parties"?
CILogon uses the ORCID Member API and is therefore eligible to request information that it set "viewable to trusted parties" but for privacy reasons we choose not to.
Currently CILogon requests the following permission:
Get your ORCID iD
This allows CILogon to see a user's public email address.
To get an email address set to "viewable by trusted parties" CILogon would need to request something like the following:
Read your limited access information
Asking for a finer grained scope is unfortunately not supported by ORCID.
How do I log out from CILogon?
Go to https://cilogon.org/logout to clear CILogon authentication session cookies from your web browser. You may also be shown a link to optionally log out of your selected Identity Provider.
My question isn't answered here. How can I get more information?
Please contact us at email@example.com.