ACCESS Identity Management - Frequently Asked Questions

Select the “ACCESS CI” identity provider to log in with your ACCESS/XSEDE username and password.

If you would like to log in to ACCESS using an identity provider other than “ACCESS CI”, you need to link your identity from that other identity provider with your ACCESS ID. Please proceed to the identity linking page for details.

Please visit https://cilogon.org/logout to log out of your CILogon session.

If you are having trouble logging in, it may help to click the "Delete ALL" button at https://cilogon.org/me/ to reset your CILogon browser cookies, then try again to log in.

Visit https://cilogon.org/me/ to view the "Session Variables" associated with your authenticated identity, including your selected identity provider.

Yes, visit https://identity.access-ci.org/username-reminder to request a username reminder by email.

Yes, visit https://identity.access-ci.org/password-reset to reset your ACCESS password.

Please visit https://identity.access-ci.org/manage-mfa for instructions on managing your Duo configuration for ACCESS.

ACCESS uses identity providers from CILogon. Please visit https://www.cilogon.org/faq for details.

Please open a ticket to request the change.

Yes, please open a ticket indicating which ACCESS ID you want to continue using and which one(s) you want marked as duplicate.

Please review ACCESS RP Documentation for login details and support contacts for each resource provider.

If you’re not able to get assistance directly from the resource provider, please open a ticket with ACCESS.

By default, when you register your web application , ACCESS users will be able to log in using any identity provider supported by CILogon that is linked to their ACCESS ID, and the resulting id_token will contain the user’s ACCESS ID (i.e., “sub”: “username@access-ci.org”). This is the recommended configuration, because it allows users to log in without needing an ACCESS-specific username and password.

However, if you want to require authentication using the ACCESS CI IdP (e.g., to require ACCESS multi-factor authentication), please contact help@cilogon.org to request this configuration to be applied to your client. Include your registered client_id in your request.

When you register an OIDC client with the ACCESS COmanage Registry, is it recommended you use a Named Configuraton for “ACCESS OIDC client configuration v1”. This configuration does the following:

• Registers the following scopes : openid, email, profile, org.cilogon.userinfo
• Verifies that OIDC client transactions request the org.cilogon.userinfo scope
• Checks that the user has an ACCESS account. If so, asserts “username@access-ci.org” in the “sub” claim. If not, redirects the user to an appropriate error page.
• Checks if the user is in the “AccessDenied” group. If so, redirects the user to an appropriate error page.

There is a server-side configuration which automatically applies the ACCESS skin for OIDC clients with a redirect_uri in the access-ci.org domain. This skin changes the CSS for the “Select an Identity Provider” page, and also selects “ACCESS CI” as the initial IdP for new visitors to the site. However, your OIDC client might have a redirect_uri in some other domain. In this case, the ACCESS “skin” would not be applied. To fix this, please contact help@cilogon.org with your registered client_id and request that the ACCESS “skin” be applied to your client.

Yes, please send a list of DNs to help@cilogon.org, and the CILogon team can provide the mapping.

If you are using mod_auth_openidc , please be sure to configure OIDCSessionInactivityTimeout. Visit https://www.cilogon.org/oidc#h.p_1_IG_eaP90Ty for details.

You may also need to enable Refresh Tokens in your web app registration.