We recommend that LSST adopt the OpenID Connect (OIDC) standard for Web Single Sign-On (SSO). NCSA's CILogon service provides an OIDC-compliant Web SSO service that is available for testing and integration. See http://www.cilogon.org/oidc for details. Choosing CILogon's LSST "skin" will include the LSST logo on the login page.
The CILogon endpoints are:
| Registration | https://cilogon.org/oauth2/register |
|---|---|
| Authorization | https://cilogon.org/authorize?skin=LSST |
| Token | https://cilogon.org/oauth2/token |
| User Info | https://cilogon.org/oauth2/userinfo |
| X.509 Certificate | https://cilogon.org/oauth2/getcert |
The User Info endpoint will return a JSON structure containing claims matching the following example:
{"sub":"http://cilogon.org/serverA/users/534",
"given_name":"James",
"family_name":"Basney",
"email":"jbasney@illinois.edu",
"voPersonExternalID":"148492@github.com",
"idp_name":"GitHub",
"idp":"http://github.com/login/oauth/authorize",
"uid":"jbasney",
"uidNumber":"25555",
"isMemberOf": [
{"name": "lsst_users", "id": 1363},
{"name": "lsst_int_lspdev", "id": 1618}
]
}
The sub claim is the user's unique subject identifier. Please use it to uniquely identify the user in your web application.
The ismemberOf claim contains the user's group memberships which convey authorization in LSST.
The uid and uidNumber claims contain the user's NCSA username and user IDs.
The voPersonExternalID claim contains the external identity linked to the user's NCSA identity (if the user logged in with an external identity provider using Federated Identity).
Any questions/comments? Please post to our https://lists.lsst.org/mailman/listinfo/iam email list.