ACCESS Identity Management - Frequently Asked Questions

For Users

Yes, your ACCESS ID is the same as your XSEDE Portal account. Please do not create a new ACCESS ID. You do not need to change your password or your Duo registration during the transition from XSEDE to ACCESS.

Select the “ACCESS CI” identity provider to log in with your ACCESS/XSEDE username and password.

If you would like to log in to ACCESS using an identity provider other than “ACCESS CI”, you need to link your identity from that other identity provider with your ACCESS ID. Please proceed to the identity linking page for details.

Please visit to log out of your CILogon session.

If you are having trouble logging in, it may help to click the "Delete ALL" button at to reset your CILogon browser cookies, then try again to log in.

Visit to view the "Session Variables" associated with your authenticated identity, including your selected identity provider.

Yes, visit to request a username reminder by email.

Yes, visit to reset your ACCESS password.

Please visit for instructions on managing your Duo configuration for ACCESS.

ACCESS uses identity providers from CILogon. Please visit for details.

Please open a ticket to request the change.

Yes, please open a ticket indicating which ACCESS ID you want to continue using and which one(s) you want marked as duplicate.

Please review ACCESS RP Documentation for login details and support contacts for each resource provider.

If you’re not able to get assistance directly from the resource provider, please open a ticket with ACCESS.

For Admins

By default, when you register your web application , ACCESS users will be able to log in using any identity provider supported by CILogon that is linked to their ACCESS ID, and the resulting id_token will contain the user’s ACCESS ID (i.e., “sub”: “”). This is the recommended configuration, because it allows users to log in without needing an ACCESS-specific username and password.

However, if you want to require authentication using the ACCESS CI IdP (e.g., to require ACCESS multi-factor authentication), please contact to request this configuration to be applied to your client. Include your registered client_id in your request.

When you register an OIDC client with the ACCESS COmanage Registry, is it recommended you use a Named Configuraton for “ACCESS OIDC client configuration v1”. This configuration does the following:

  • Registers the following scopes : openid, email, profile, org.cilogon.userinfo
  • Verifies that OIDC client transactions request the org.cilogon.userinfo scope
  • Checks that the user has an ACCESS account. If so, asserts “” in the “sub” claim. If not, redirects the user to an appropriate error page.
  • Checks if the user is in the “AccessDenied” group. If so, redirects the user to an appropriate error page.

There is a server-side configuration which automatically applies the ACCESS skin for OIDC clients with a redirect_uri in the domain. This skin changes the CSS for the “Select an Identity Provider” page, and also selects “ACCESS CI” as the initial IdP for new visitors to the site. However, your OIDC client might have a redirect_uri in some other domain. In this case, the ACCESS “skin” would not be applied. To fix this, please contact with your registered client_id and request that the ACCESS “skin” be applied to your client.

Yes, please send a list of DNs to, and the CILogon team can provide the mapping.

If you are using mod_auth_openidc , please be sure to configure OIDCSessionInactivityTimeout. Visit for details.

You may also need to enable Refresh Tokens in your web app registration.