Developer Guide | Operations

This guide provides recommendations for ACCESS staff and resource providers when integrating with ACCESS identity management services. The goal is to provide a uniform and consistent process for users to sign in across ACCESS web sites.

Apps

Please see the app registration page for details on registering a web application for ACCESS authentication.

SSO

ACCESS identity management services provide single sign-on (SSO) for registered web applications. Once a user has logged in to ACCESS in their web browser, they should not be prompted again for their password or Duo MFA for 18 hours.

ACCESS uses an access_ci_sso cookie as a hint to indicate that a user has logged in to ACCESS. Additionally, ACCESS uses the absence of the access_ci_sso cookie as a hint to indicate that a user has logged out of ACCESS. The cookie has access permissions for any subdomain under access-ci.org. ACCESS sites set the cookie upon successful login and clear the cookie on logout. The cookie has an 18 hour lifetime to match the ACCESS SSO session length. On logout, ACCESS sites should also initiate a CILogon session logout. See the Logout section below for details.

This allows other ACCESS sites to automatically begin the login process on first page load if the cookie is set, and the login should be seamless due to SSO, without requiring the user to click the “Login with ACCESS” button or re-enter their password or Duo MFA. The cookie does not contain any information except whether there has been a successful login recently. It is just a hint about whether an attempted automatic login would be able to proceed without user input and would not contain any credential information.

After the user has logged in, sites should check on subsequent page loads if the cookie has been removed by another site, indicating that the user has initiated logout on another ACCESS site. Since we want consistent logout across all ACCESS sites, removing the cookie should trigger a local logout at each ACCESS site.

In summary:

If the access_ci_sso cookie is present and the user isn’t logged in to the local site, trigger a login flow.
If the access_ci_sso cookie is absent and the user is logged in to the local site, trigger a logout flow.

Logout

When a user selects logout on an ACCESS site, the site should:

Clear any site-specific session.
Delete the access_ci_sso cookie (see above).
Redirect the user’s browser to https://cilogon.org/logout/?skin=access to terminate the user’s CILogon session.

This will ensure that SSO sessions are terminated consistently across ACCESS sites.

Errors

Web applications using ACCESS SSO should be prepared to handle a standard OpenID Connect Authentication Error Response. To generate an error response for testing purposes, use a response_type=error parameter. For example: https://cilogon.org/authorize?client_id=cilogon%3A/client_id/447a035ef16030a50c48dad48d64e645&response_type=error&scope=openid&redirect_uri=https%3A//operations.access-ci.org/openid-connect/accessci

Links

We recommend the following text/links when incorporating additional ACCESS identity management functionality into your web sites.

Please use the links listed above, and do not link directly to https://registry.access-ci.org.