MUNI Unified Login


Information for Web Server Administrators

MUNI Unified Login is an identity provider that verifies user names, passwords, and other user data, and makes the selected information available to you. This allows you to control access to your web service without having to manage user accounts by yourself.

Information about the User

The identity provider provides user authentication and it can provide additional information about the user that can be used to personalize the service or to access control. Information about the user is obtained from internal information systems, i.e. that they are verified and updated. In order to protect the privacy and security of users, your service does not have user passwords available. Only personal data of the users that are necessary for its operation is provided to your service.

Scopes

One "scope" entitles the client to obtain one or more so-called "claims", for details see the OIDC specification.

In addition to the standard scopes defined by the OIDC specification (openid, profile, email), MUNI Unified Login also provides some other, non-standard claims, such as eduperson_entitlement or scopes without claims, allowing some operations such as offline_access. For more information, see OAuth2 specification.

openid
Název: openid
Popis: Jedinečný, nerecyklovaný identifikátor uživatele UČO@muni.cz
Claims:
sub: 1234@muni.cz

profile
Název: profile
Popis: Osobní profil, preferred_username obsahuje UČO
Claims:
name John Doe
given_name John
middle_name
family_name Doe
preferred_username 1234
 
email
Název: email
Popis: Email uživatele
Claims:
email email@example.org

eduperson_entitlement
Název: eduperson_entitlement
Popis: Seznam skupin, ve kterých je uživatel členem a jsou na službu přiřazeny, sloučený se seznamem skupin přijatých z IdP. Syntax hodnot dle doporučení AARC - <NAMESPACE>:group:<GROUP>[:<SUBGROUP>*][:role=<ROLE>]#<GROUP-AUTHORITY>
Claims:
eduperson_entitlement [urn:geant:muni.cz:group:MU#idm.ics.muni.cz, urn:geant:muni.cz:group:MU:workplaces:UVT#idm.ics.muni.cz]

offline_access
Název: offline_access
Popis: Možnost vydání refresh tokenu

Access Control Based on User Group Membership

Define what group you want to create, what members it will have, and then join that group to single sign-on. Only members of this group will have access to the service.

Test Environment

Once your application is approved, we will give you, as administrators, time-bounded access to a test environment that is identical to the production environment but works on a different IP address. Access is limited to 1 month or it can be extended. After the testing we will arrange a simple transition to the production environment.

Instructions

You are running an old browser version. We recommend updating your browser to its latest version.