MUNI Unified Login

Information for Web Server Administrators

MUNI Unified Login is an identity provider that verifies user names, passwords, and other user data and makes the selected information available. This allows you to control access to your web service without having to manage user accounts by yourself.

Information about the User

The identity provider provides user authentication, and it can provide additional information about the user that can be used to personalize the service or access control. Information about the user is obtained from internal information systems, i.e., they are verified and updated. In order to protect the privacy and security of users, your service does not have user passwords available. Only personal data of the users that are necessary for its operation is provided to your service.


One "scope" entitles the client to obtain one or more so-called "claims", for details, see the OIDC specification.

In addition to the standard scopes defined by the OIDC specification (openid, profile, email), MUNI Unified Login also provides some other, non-standard claims, such as eduperson_entitlement or scopes without claims, allowing some operations such as offline_access. For more information, see OAuth2 specification.

Název: openid
Popis: Jedinečný, nerecyklovaný identifikátor uživatele UČ

Název: profile
Popis: Osobní profil, preferred_username obsahuje UČO
name John Doe
given_name John
family_name Doe
preferred_username 1234
Název: email
Popis: Email uživatele

Název: eduperson_entitlement
Popis: Seznam skupin, ve kterých je uživatel členem a jsou na službu přiřazeny, sloučený se seznamem skupin přijatých z IdP. Syntax hodnot dle doporučení AARC - <NAMESPACE>:group:<GROUP>[:<SUBGROUP>*][:role=<ROLE>]#<GROUP-AUTHORITY>
eduperson_entitlement [,]

Název: offline_access
Popis: Možnost vydání refresh tokenu

Access Control Based on User Group Membership

Define what group you want to create, what members it will have, and then join that group to unified login. Only members of this group will have access to the service.

Test Environment

Once the request is approved, we connect the service to a test environment that is identical to the production environment, but access is limited to administrators only. After testing is complete, we arrange a simple transition to the production environment.

Multi-factor authentication

As the administrator of the service, you can choose whether to make multi-factor authentication mandatory or optional for users when they log in. Along with the user attributes, you will receive information about whether the user has performed multi-factor authentication. For signing, we use the REFEDS MFA Profile, the use of which is described in the MFA Profile FAQ.

Related Services

You are running an old browser version. We recommend updating your browser to its latest version.