Information for Web Server Administrators
MUNI Unified Login is an identity provider that verifies user names, passwords, and other user data and makes the selected information available. This allows you to control access to your web service without having to manage user accounts by yourself.
Information about the User
The identity provider provides user authentication, and it can provide additional information about the user that can be used to personalize the service or access control. Information about the user is obtained from internal information systems, i.e., they are verified and updated. In order to protect the privacy and security of users, your service does not have user passwords available. Only personal data of the users that are necessary for its operation is provided to your service.
In addition to the standard scopes defined by the OIDC specification (openid, profile, email), MUNI Unified Login also provides some other, non-standard claims, such as eduperson_entitlement or scopes without claims, allowing some operations such as offline_access. For more information, see OAuth2 specification.
openid Název: openid Popis: Jedinečný, nerecyklovaný identifikátor uživatele UČO@muni.cz Claims: sub: firstname.lastname@example.org profile Název: profile Popis: Osobní profil, preferred_username obsahuje UČO Claims: name John Doe given_name John middle_name family_name Doe preferred_username 1234 email Název: email Popis: Email uživatele Claims: email email@example.com eduperson_entitlement Název: eduperson_entitlement Popis: Seznam skupin, ve kterých je uživatel členem a jsou na službu přiřazeny, sloučený se seznamem skupin přijatých z IdP. Syntax hodnot dle doporučení AARC - <NAMESPACE>:group:<GROUP>[:<SUBGROUP>*][:role=<ROLE>]#<GROUP-AUTHORITY> Claims: eduperson_entitlement [urn:geant:muni.cz:group:MU#idm.ics.muni.cz, urn:geant:muni.cz:group:MU:workplaces:UVT#idm.ics.muni.cz] offline_access Název: offline_access Popis: Možnost vydání refresh tokenu
Access Control Based on User Group Membership
Define what group you want to create, what members it will have, and then join that group to unified login. Only members of this group will have access to the service.
Once the request is approved, we connect the service to a test environment that is identical to the production environment, but access is limited to administrators only. After testing is complete, we arrange a simple transition to the production environment.
As the administrator of the service, you can choose whether to make multi-factor authentication mandatory or optional for users when they log in. Along with the user attributes, you will receive information about whether the user has performed multi-factor authentication. For signing, we use the REFEDS MFA Profile, the use of which is described in the MFA Profile FAQ.