Information for Web Server Administrators
MUNI Unified Login is an identity provider that verifies user names, passwords, and other user data and makes the selected information available. This allows you to control access to your web service without having to manage user accounts by yourself.
Information about the User
The identity provider provides user authentication, and it can provide additional information about the user that can be used to personalize the service or access control. Information about the user is obtained from internal information systems, i.e., they are verified and updated. In order to protect the privacy and security of users, your service does not have user passwords available. Only personal data of the users that are necessary for its operation is provided to your service.
Scopes
One "scope" entitles the client to obtain one or more so-called "claims", for details, see the OIDC specification.
In addition to the standard scopes defined by the OIDC specification (openid, profile, email), MUNI Unified Login also provides some other, non-standard claims, such as eduperson_entitlement or scopes without claims, allowing some operations such as offline_access. For more information, see OAuth2 specification.
openid
Název: openid
Popis: Jedinečný, nerecyklovaný identifikátor uživatele UČO@muni.cz
Claims:
sub: 1234@muni.cz
profile
Název: profile
Popis: Osobní profil, preferred_username obsahuje UČO
Claims:
name John Doe
given_name John
middle_name
family_name Doe
preferred_username 1234
email
Název: email
Popis: Email uživatele
Claims:
email email@example.org
eduperson_entitlement
Název: eduperson_entitlement
Popis: Seznam skupin, ve kterých je uživatel členem a jsou na službu přiřazeny, sloučený se seznamem skupin přijatých z IdP. Syntax hodnot dle doporučení AARC - <NAMESPACE>:group:<GROUP>[:<SUBGROUP>*][:role=<ROLE>]#<GROUP-AUTHORITY>
Claims:
eduperson_entitlement [urn:geant:muni.cz:group:MU#idm.ics.muni.cz, urn:geant:muni.cz:group:MU:workplaces:UVT#idm.ics.muni.cz]
offline_access
Název: offline_access
Popis: Možnost vydání refresh tokenuAccess Control Based on User Group Membership
Define what group you want to create, what members it will have, and then join that group to unified login. Only members of this group will have access to the service.
Test Environment
Once the request is approved, we connect the service to a test environment that is identical to the production environment, but access is limited to administrators only. After testing is complete, we arrange a simple transition to the production environment.
Multi-factor authentication
As the administrator of the service, you can choose whether to make multi-factor authentication mandatory or optional for users when they log in. Along with the user attributes, you will receive information about whether the user has performed multi-factor authentication. For signing, we use the REFEDS MFA Profile, the use of which is described in the MFA Profile FAQ.