CINXE.COM

FAQs - Authentication and Authorization Service

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.3.1, mkdocs-material-8.5.3"> <title>FAQs - Authentication and Authorization Service</title> <link rel="stylesheet" href="../../assets/stylesheets/main.7a952b86.min.css"> <link rel="stylesheet" href="../../assets/stylesheets/palette.cbb835fc.min.css"> <link rel="stylesheet" href="../../stylesheets/fonts.css"> <link rel="stylesheet" href="../../stylesheets/kuri-kuri.css"> <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#frequently-asked-questions" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href="../.." title="Authentication and Authorization Service" class="md-header__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Authentication and Authorization Service </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> FAQs </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.2.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="Authentication and Authorization Service" class="md-nav__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Authentication and Authorization Service </label> <div class="md-nav__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.2.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> CERN Authentication and Authorization Services </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" > <label class="md-nav__link" for="__nav_2"> User authentication <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="User authentication" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> User authentication </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../authentication-options/" class="md-nav__link"> Authentication options </a> </li> <li class="md-nav__item"> <a href="../two-factor-authentication/" class="md-nav__link"> Two factor authentication </a> </li> <li class="md-nav__item"> <a href="../kerberos-authentication/" class="md-nav__link"> Kerberos </a> </li> <li class="md-nav__item"> <a href="../time-limits/" class="md-nav__link"> Time limits </a> </li> <li class="md-nav__item"> <a href="../autologon/" class="md-nav__link"> Autologon </a> </li> <li class="md-nav__item"> <a href="../account-lifecycle/" class="md-nav__link"> Account Lifecycle </a> </li> <li class="md-nav__item"> <a href="../unconfirmed-identities/" class="md-nav__link"> Unconfirmed identities </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" checked> <label class="md-nav__link" for="__nav_3"> Securing applications <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Securing applications" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> Securing applications </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../applications/application-configuration/" class="md-nav__link"> Configuring your application </a> </li> <li class="md-nav__item"> <a href="../../applications/adding-application/" class="md-nav__link"> Adding your application to the service </a> </li> <li class="md-nav__item"> <a href="../../applications/permission-scheme/" class="md-nav__link"> Defining the permissions scheme </a> </li> <li class="md-nav__item"> <a href="../../applications/role-based-permissions/" class="md-nav__link"> Role based permissions (recommended) </a> </li> <li class="md-nav__item"> <a href="../../applications/group-based-permissions/" class="md-nav__link"> Group based permissions </a> </li> <li class="md-nav__item"> <a href="../../applications/sso-registration/" class="md-nav__link"> Registering your application to SSO </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" > <label class="md-nav__link" for="__nav_3_7"> SAML <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="SAML" data-md-level="2"> <label class="md-nav__title" for="__nav_3_7"> <span class="md-nav__icon md-icon"></span> SAML </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../saml/saml/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../saml/config/" class="md-nav__link"> Configuration </a> </li> <li class="md-nav__item"> <a href="../saml/shibboleth-integration/" class="md-nav__link"> Shibboleth integration </a> </li> <li class="md-nav__item"> <a href="../saml/shibboleth-migration/" class="md-nav__link"> Shibboleth migration from the old SSO </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" > <label class="md-nav__link" for="__nav_3_8"> OIDC <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="OIDC" data-md-level="2"> <label class="md-nav__title" for="__nav_3_8"> <span class="md-nav__icon md-icon"></span> OIDC </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../oidc/oidc/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../oidc/token-requests/" class="md-nav__link"> Token Requests </a> </li> <li class="md-nav__item"> <a href="../oidc/scopes/" class="md-nav__link"> Scopes </a> </li> <li class="md-nav__item"> <a href="../oidc/config/" class="md-nav__link"> OIDC configuration and usage </a> </li> <li class="md-nav__item"> <a href="../oidc/apache/" class="md-nav__link"> Apache configuration </a> </li> <li class="md-nav__item"> <a href="../oidc/securing-apis/" class="md-nav__link"> Securing APIs </a> </li> <li class="md-nav__item"> <a href="../oidc/api-access/" class="md-nav__link"> API Access </a> </li> <li class="md-nav__item"> <a href="../oidc/exchange-for-api/" class="md-nav__link"> Token Exchange </a> </li> <li class="md-nav__item"> <a href="../oidc/device-code/" class="md-nav__link"> Device Code </a> </li> <li class="md-nav__item"> <a href="../oidc/libraries/" class="md-nav__link"> Suggested libraries </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../applications/examples/" class="md-nav__link"> Examples </a> </li> <li class="md-nav__item"> <a href="../../applications/qa-environment/" class="md-nav__link"> QA Environment </a> </li> <li class="md-nav__item"> <a href="../../applications/command-line-tools/" class="md-nav__link"> Command line tools </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> FAQs <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> FAQs </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#are-the-new-tokens-backwards-compatible" class="md-nav__link"> Are the new tokens backwards compatible? </a> </li> <li class="md-nav__item"> <a href="#why-is-my-saml-application-not-working-with-the-new-sso" class="md-nav__link"> Why is my SAML application not working with the new SSO? </a> </li> <li class="md-nav__item"> <a href="#how-can-i-look-up-groups-for-a-user" class="md-nav__link"> How can I look up groups for a user? </a> </li> <li class="md-nav__item"> <a href="#how-do-i-require-2fa-for-my-application" class="md-nav__link"> How do I require 2FA for my application? </a> </li> <li class="md-nav__item"> <a href="#how-can-an-insecure-frontend-and-secure-backend-work-together-with-oauth" class="md-nav__link"> How can an insecure frontend and secure backend work together with OAuth? </a> <nav class="md-nav" aria-label="How can an insecure frontend and secure backend work together with OAuth?"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#token-exchange-purple-dashed-lines" class="md-nav__link"> Token exchange (Purple, dashed lines) </a> </li> <li class="md-nav__item"> <a href="#multiple-audiences-accepted-by-backend-orange-solid-lines" class="md-nav__link"> Multiple Audiences accepted by backend (Orange, solid lines) </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" > <label class="md-nav__link" for="__nav_4"> Group Management System <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Group Management System" data-md-level="1"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Group Management System </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../roadmap/group-missing-features/" class="md-nav__link"> Missing features </a> </li> <li class="md-nav__item"> <a href="../../groups/special-groups/" class="md-nav__link"> Special groups </a> </li> <li class="md-nav__item"> <a href="../../groups/dynamic-guidance/" class="md-nav__link"> Dynamic groups </a> </li> <li class="md-nav__item"> <a href="../../groups/csv/" class="md-nav__link"> CSV </a> </li> <li class="md-nav__item"> <a href="../../groups/e-groups-to-gms-sync-scenario/" class="md-nav__link"> E-Groups to GMS transition </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" > <label class="md-nav__link" for="__nav_5"> Resources lifecycle and eligibility <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Resources lifecycle and eligibility" data-md-level="1"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Resources lifecycle and eligibility </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../resources/resources/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../resources/resource-lifecycle-integration/" class="md-nav__link"> Integration </a> </li> <li class="md-nav__item"> <a href="../../resources/resource-states/" class="md-nav__link"> Resource States </a> </li> <li class="md-nav__item"> <a href="../../resources/push-rest-api/" class="md-nav__link"> Resources REST API (push) </a> </li> <li class="md-nav__item"> <a href="../../resources/policies/" class="md-nav__link"> Custom Resource Policies </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6"> Documents <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Documents" data-md-level="1"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Documents </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../documents/why-keycloak/" class="md-nav__link"> Why Keycloak </a> </li> <li class="md-nav__item"> <a href="../../documents/presentations/" class="md-nav__link"> Presentations </a> </li> <li class="md-nav__item"> <a href="../../documents/our-contributions/" class="md-nav__link"> Our contributions to Keycloak </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" > <label class="md-nav__link" for="__nav_7"> Services <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Services" data-md-level="1"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Services </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../services/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../services/instances/" class="md-nav__link"> Links to instances </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" > <label class="md-nav__link" for="__nav_7_3"> Authorization Service API <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Authorization Service API" data-md-level="2"> <label class="md-nav__title" for="__nav_7_3"> <span class="md-nav__icon md-icon"></span> Authorization Service API </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../authzsvc/overview/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/managed-applications/" class="md-nav__link"> Managing applications for other users </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/roles/" class="md-nav__link"> Role definitions </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/model/" class="md-nav__link"> Model (attributes) </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/examples/" class="md-nav__link"> Examples </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" > <label class="md-nav__link" for="__nav_8"> Help <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Help" data-md-level="1"> <label class="md-nav__title" for="__nav_8"> <span class="md-nav__icon md-icon"></span> Help </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../trouble-shooting/edugain-authentication/" class="md-nav__link"> eduGAIN Authentication </a> </li> <li class="md-nav__item"> <a href="../../trouble-shooting/2fa-tips/" class="md-nav__link"> 2FA Tips </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../privacy-notice/" class="md-nav__link"> Privacy notice </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" > <label class="md-nav__link" for="__nav_10"> Migration notes <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Migration notes" data-md-level="1"> <label class="md-nav__title" for="__nav_10"> <span class="md-nav__icon md-icon"></span> Migration notes </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../migrations/keycloak24/" class="md-nav__link"> Keycloak 24 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../contact/" class="md-nav__link"> Contact </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#are-the-new-tokens-backwards-compatible" class="md-nav__link"> Are the new tokens backwards compatible? </a> </li> <li class="md-nav__item"> <a href="#why-is-my-saml-application-not-working-with-the-new-sso" class="md-nav__link"> Why is my SAML application not working with the new SSO? </a> </li> <li class="md-nav__item"> <a href="#how-can-i-look-up-groups-for-a-user" class="md-nav__link"> How can I look up groups for a user? </a> </li> <li class="md-nav__item"> <a href="#how-do-i-require-2fa-for-my-application" class="md-nav__link"> How do I require 2FA for my application? </a> </li> <li class="md-nav__item"> <a href="#how-can-an-insecure-frontend-and-secure-backend-work-together-with-oauth" class="md-nav__link"> How can an insecure frontend and secure backend work together with OAuth? </a> <nav class="md-nav" aria-label="How can an insecure frontend and secure backend work together with OAuth?"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#token-exchange-purple-dashed-lines" class="md-nav__link"> Token exchange (Purple, dashed lines) </a> </li> <li class="md-nav__item"> <a href="#multiple-audiences-accepted-by-backend-orange-solid-lines" class="md-nav__link"> Multiple Audiences accepted by backend (Orange, solid lines) </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs/-/blob/master/docs/user-documentation/faqs.md" title="Edit this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg> </a> <h1 id="frequently-asked-questions">Frequently Asked Questions</h1> <h2 id="are-the-new-tokens-backwards-compatible">Are the new tokens backwards compatible?</h2> <p>The new token schemas provided for <a href="../oidc/config/">OIDC</a> and <a href="../saml/config/">SAML</a> applications are <strong>not</strong> fully backwards compatible.</p> <p>Significant changes:</p> <ul> <li>Only necessary data is included, other personal information can be queried from the Authorization Service API if required by your application</li> <li>The full list of e-groups has been removed. This is replaced by the concept of Roles, which you define for your application and map to e-groups plus requirements on identity assurance and multifactor.</li> </ul> <table> <thead> <tr> <th>Attribute</th> <th>Legacy SAML Field</th> <th>Example Value</th> <th>Migration Note</th> </tr> </thead> <tbody> <tr> <td>User identifier (duplicate of email)</td> <td>upn</td> <td>marie.curie@cern.ch</td> <td><strong>The value in this attribute is not backwards compatible</strong>. UPN previously contained the email which was misleading and insecure as it could be modified. The new UPN claim is a permanent, unique, non-reassigned ID. For CERN users it represents the CERN Login name, for federated users it is a unique identifier scoped to the identity provider, e.g. 12387234@google or albert.einstein@unibe.ch</td> </tr> <tr> <td>User identifier (duplicate of email)</td> <td>UPN</td> <td>marie.curie@cern.ch</td> <td>As above</td> </tr> <tr> <td>Email</td> <td>EmailAddress</td> <td>marie.curie@cern.ch</td> <td>Maintained</td> </tr> <tr> <td>Display Name</td> <td>DisplayName</td> <td>Marie Curie</td> <td>Maintained</td> </tr> <tr> <td>First Name</td> <td>Firstname</td> <td>Marie</td> <td>Maintained</td> </tr> <tr> <td>Last Name</td> <td>Lastname</td> <td>Curie</td> <td>Maintained</td> </tr> <tr> <td>CERN Person ID</td> <td>PersonID</td> <td>755555</td> <td>Maintained</td> </tr> <tr> <td>CERN Unix ID</td> <td>uidNumber</td> <td>55555</td> <td>Maintained</td> </tr> <tr> <td>CERN Unix GID</td> <td>gidNumber</td> <td>5555</td> <td>Maintained</td> </tr> <tr> <td>Preferred Language</td> <td>PreferredLanguage</td> <td>FR</td> <td>Maintained</td> </tr> <tr> <td>Groups</td> <td>Group</td> <td>[list of e-groups]</td> <td>Replaced by Roles, mapped to e-groups, level of assurance and single/multi factor criteria</td> </tr> <tr> <td>CERN Identity Class</td> <td>IdentityClass</td> <td>CERN Registered</td> <td>As above</td> </tr> <tr> <td>Authentication level (Normal or Multifactor )</td> <td>AuthLevel</td> <td>Normal</td> <td>As above</td> </tr> <tr> <td>Phone Number</td> <td>PhoneNumber</td> <td>+41227655555</td> <td>Discontinued, available from the Authorization Service</td> </tr> <tr> <td>Mobile Number</td> <td>MobileNumber</td> <td>+41754115555</td> <td>Discontinued, available from the Authorization Service</td> </tr> <tr> <td>Building</td> <td>Building</td> <td>11 1-111</td> <td>Discontinued, available from the Authorization Service</td> </tr> <tr> <td>CERN Department</td> <td>Department</td> <td>IT/MIA</td> <td>Discontinued, available from the Authorization Service</td> </tr> <tr> <td>Home Institute</td> <td>HomeInstitute</td> <td>CERN</td> <td>Discontinued, available from the Authorization Service</td> </tr> <tr> <td>Common Name</td> <td>CommonName</td> <td>mcurie</td> <td>Discontinued (For CERN people, this matches the UPN)</td> </tr> <tr> <td>Account source</td> <td>Federation</td> <td>CERN</td> <td>Discontinued</td> </tr> <tr> <td>CERN Role</td> <td>role</td> <td>CERN Users</td> <td>Discontinued</td> </tr> </tbody> </table> <h2 id="why-is-my-saml-application-not-working-with-the-new-sso">Why is my SAML application not working with the new SSO?</h2> <p>First, make sure you follow the SAML Application <a href="../saml/config/#configurationtroubleshooting-checklist">checklist</a>. If it is still not working and you are getting the message "Invalid Client" from SSO, you may need to ensure that your Metadata includes <code>&lt;md:KeyDescriptor use=”signing”&gt;</code> - your signed authentication requests will only be validated if SSO knows which key to use to check the signature.</p> <h2 id="how-can-i-look-up-groups-for-a-user">How can I look up groups for a user?</h2> <p>You will no longer receive all e-groups in your SSO tokens. Instead, you must define roles for your application that are linked to groups. This change has been implemented to protect the privacy of users' personal data. If you have a genuine reason to query all the groups for a user, you can request permission to use the <a href="../../authzsvc/overview/">Authorization Service API</a> with an OIDC Application.</p> <h2 id="how-do-i-require-2fa-for-my-application">How do I require 2FA for my application?</h2> <p>Create a role that is both "Required" and "Requires multifactor", more details are available in the <a href="https://auth.docs.cern.ch/applications/role-based-permissions">Roles Documentation</a>.</p> <h2 id="how-can-an-insecure-frontend-and-secure-backend-work-together-with-oauth">How can an insecure frontend and secure backend work together with OAuth?</h2> <p>A common use case is having an insecure (e.g. single page web app) frontend sending authenticated requests to a secure backend protected by OAuth. There are two main ways to do this:</p> <p><img alt="frontend-to-backend" src="../../images/frontend-to-backend.png" /></p> <h4 id="token-exchange-purple-dashed-lines">Token exchange (Purple, dashed lines)</h4> <ol> <li>User authenticated on the frontend via an OAuth public client</li> <li>Token is exchanged for a token made for the backend (i.e. audience set to the backend client)</li> <li>Token is sent to the backend</li> </ol> <h4 id="multiple-audiences-accepted-by-backend-orange-solid-lines">Multiple Audiences accepted by backend (Orange, solid lines)</h4> <ol> <li>User authenticated on the frontend via an OAuth public client</li> <li>Same token sent to the secure backend, which accepts token audience equal to the frontend client as well as its own</li> </ol> <p>We provide the following libraries and examples which might be of use:</p> <ul> <li>A <a href="https://gitlab.cern.ch/authzsvc/libraries/keycloak-js-react">ReactJS Library for Authentication</a></li> <li>A <a href="https://gitlab.cern.ch/authzsvc/docs/flask-oidc-api-example">Python flask API example</a></li> </ul> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../../applications/command-line-tools/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Command line tools" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> Command line tools </div> </div> </a> <a href="../../roadmap/group-missing-features/" class="md-footer__link md-footer__link--next" aria-label="Next: Missing features" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> Missing features </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "../..", "features": [], "search": "../../assets/javascripts/workers/search.5bf1dace.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../../assets/javascripts/bundle.37e9125f.min.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10