Frequently Asked 
Questions

ACCESS Registration

  • Yes, your ACCESS ID is the same as your XSEDE Portal account. Please do not create a new ACCESS ID. You do not need to change your password or your Duo registration during the transition from XSEDE to ACCESS.
  • Select the “ACCESS CI” identity provider to log in with your ACCESS/XSEDE username and password.
  • If you would like to log in to ACCESS using an identity provider other than “ACCESS CI”, you need to link your identity from that other identity provider with your ACCESS ID. Please proceed to theidentity linking page for details.

Logging In & Authentication

  • You can manage Multi-Factor Authentication (MFA) for your ACCESS account athttps://identity.access-ci.org/manage-mfa. This page walks you through updating or managing your Duo Security settings, which many ACCESS services use to provide an additional layer of protection beyond your username and password.
  • If you are having trouble logging in, it may help to click the "Delete ALL" button athttps://cilogon.org/me/to reset your CILogon browser cookies, then try again to log in.
  • Please reviewACCESS RP Documentationfor login details and support contacts for each resource provider.
  • If you’re not able to get assistance directly from the resource provider, pleaseopen a ticket with ACCESS.

Account Management

  • You can view and update your profile by logging into the ACCESS Registry and selecting “Profile: View and edit your profile.” To modify your name or email address, click on the gear icon next to the respective information. If you change your email, you will need to verify it by checking your inbox for a confirmation email.
  • To modify the organization associated with your ACCESS ID, you have two options:
    • Open a support ticket to request the change.
    • Log into ACCESS Allocations and visit your profile under the "Additional Information" section to select a new organization. Note that this change may take up to 24 hours to be reflected.
  • For further details, you can visit: https://operations.access-ci.org/identity/profile-update
  • To link an external account:
    • Log in to the ACCESSCOmanage Registry.
    • Click on your name in the upper-right corner.
    • Select “Link another account” from the dropdown menu.
    • Click the "BEGIN" button on the "Link another account" page.
    • Choose the appropriate identity provider (e.g., university, GitHub, Google, etc.). Do NOT choose "ACCESS CI (XSEDE)".
    • Log in with that provider and follow the prompts to complete the linking process.
  • To unlink an external account:
    • Log in to ACCESS Support.
    • Open a support ticket and provide your ACCESS ID along with details of the linked account you wish to unlink.
    • For detailed instructions and to initiate these actions, you can visit the identity linking page:https://operations.access-ci.org/identity/id-linking.
  • Yes, pleaseopen a ticketindicating which ACCESS ID you want to continue using and which one(s) you want marked as duplicate.
  • You can view and update your SSH Keys by logging into theACCESS Registryand selecting “SSH Key: Manage your SSH keys for Resource Providers.” Click "+ Add SSH Key" in the upper-right corner. Then click the "Browse…" button to select your public SSH key. Finally, click the "UPLOAD" button.
  •  

    Watch Video 
    Introduction to SSH Keys

  • Visithttps://cilogon.org/me/to view the "Session Variables" associated with your authenticated identity, including your selected identity provider.

Support & Troubleshooting

For Resource Providers Only (including identity management developers)

  • By default, when youregister your web application, ACCESS users will be able to log in using any identity provider supported by CILogon that is linked to their ACCESS ID, and the resulting id_token will contain the user’s ACCESS ID (i.e., “sub”: “username@access-ci.org”). This is the recommended configuration, because it allows users to log in without needing an ACCESS-specific username and password.
  • However, if you want to require authentication using the ACCESS CI IdP (e.g., to require ACCESS multi-factor authentication), please contact help@cilogon.org to request this configuration to be applied to your client. Include your registered client_id in your request.
  • When you register an OIDC client with the ACCESS COmanage Registry, is it recommended you use a Named Configuration for “ACCESS OIDC client configuration v1”. This configuration does the following:
  • Registers the followingscopes: openid, email, profile, org.cilogon.userinfo
  • Verifies that OIDC client transactions request the org.cilogon.userinfo scope
  • Checks that the user has an ACCESS account. If so, asserts “username@access-ci.org” in the “sub” claim. If not, redirects the user to an appropriate error page.
  • Checks if the user is in the “AccessDenied” group. If so, redirects the user to an appropriate error page.
  • There is a server-side configuration which automatically applies theACCESS skinfor OIDC clients with a redirect_uri in the access-ci.org domain. This skin changes the CSS for the “Select an Identity Provider” page, and also selects “ACCESS CI” as the initial IdP for new visitors to the site. However, your OIDC client might have a redirect_uri in some other domain. In this case, the ACCESS “skin” would not be applied. To fix this, please contacthelp@cilogon.orgwith your registered client_id and request that the ACCESS “skin” be applied to your client.
  • Yes, please send a list of DNs tohelp@cilogon.org, and the CILogon team can provide the mapping.