Information for Web Server Administrators
MUNI Unified Login is an identity provider that verifies user names, passwords, and other user data and makes the selected information available. This allows you to control access to your web service without having to manage user accounts by yourself.
Integration with MUNI Unified Login is possible in two ways. The preferred one is OpenID Connect (OIDC), for which there are many libraries and implementations available. The details are described below, next steps are described in How to Connect a Service.
For older applications without OIDC support and for services that are connected to the eduID.cz federation, it is possible to use SAML2. The technical part of the integration is described in the technical section of eduID.cz. You can then connect the service either to the entire eduID.cz federation (see guide), or only to MUNI Unified Login – in this case, proceed similarly as when connecting the service via OIDC, but choose SAML instead of OIDC during registration and fill in all necessary details. Available attributes are described on a separate page.
Information about the User
The identity provider provides user authentication, and it can provide additional information about the user that can be used to personalize the service or access control. Information about the user is obtained from internal information systems, i.e., they are verified and updated. In order to protect the privacy and security of users, your service does not have user passwords available. Only personal data of the users that are necessary for its operation is provided to your service.
Scopes
One "scope" entitles the client to obtain one or more so-called "claims", for details, see the OIDC specification.
In addition to the standard scopes defined by the OIDC specification (openid, profile, email), MUNI Unified Login also provides some other, non-standard claims, such as eduperson_entitlement or scopes without claims, allowing some operations such as offline_access. For more information, see OAuth2 specification.
Claims and scopes supported by MUNI Unified Login are described on a separate page.
Access Control Based on User Group Membership
Define what group you want to create, what members it will have, and then join that group to unified login. Only members of this group will have access to the service.
Test Environment
Once the request is approved, we connect the service to a test environment that is identical to the production environment, but access is limited to administrators only. After testing is complete, we arrange a simple transition to the production environment.
Multi-factor authentication
As the administrator of the service, you can choose whether to make multi-factor authentication mandatory or optional for users when they log in. Along with the user attributes, you will receive information about whether the user has performed multi-factor authentication. For signing, we use the REFEDS MFA Profile, the use of which is described in the MFA Profile FAQ.