This article explains the MUSES user account system and attempts to answer some of the frequently asked questions about our authentication system.
Your MUSES account is the way the MUSES web services identify you in order to grant you appropriate access to services and content.
No! We do not directly perform authentication, and so you do not need a new username and password for our services. Keep reading to learn how you log in.
When you log in, or authenticate, you are proving to the MUSES web services that you are who you claim to be. You do this by authenticating to one of our trusted identity providers (IdPs) that you can select from the CILogon login page. You never actually submit your username and password to MUSES web services. This is more convenient for you and more secure for everyone.
A common mistake is to log in using a different identity provider (IdP) than the one you originally registered with. For example, if you register a MUSES account using your university as your IdP, the associated MUSES account will be added to the appropriate access control groups (e.g. “collaborator”). If you then subsequently log in accidentally using Google as your IdP, you will actually be creating a new MUSES account. To fix this problem, use the Logout link in the user menu at the upper right corner of this forum interface:
I registered for the seminar series or to be a collaborator but I cannot access the content I need.
Another common mistake is to register for the seminar series or to be an official collaborator using an email address different from the one provided by your identity provider. As it cautions on the registration forms, after logging in for the first time you must review your personal info here to ensure that your Name and Email are accurate. This is the email address you must use in the registration form.
You may be directed to the CILogon website or see something about Keycloak in the login process. These are both services that MUSES uses to provide authentication and authorization services. We operate our own Keycloak server, and we use the CILogon service hosted at NCSA.
Unnecessary technical details ahead. Nerds only past this point. Each of our individual web services uses our Keycloak server as its OpenID Connect (OIDC) identity provider. Keycloak supports as many individually configured OIDC clients as desired. Keycloak is configured to use CILogon as the singular identity provider for all of these OIDC clients. Keycloak automatically creates a local Keycloak user account when someone logs in for the first time. We can then assign these Keycloak accounts to different groups and roles within Keycloak that can be used for access control and authorization.
In academic research collaborations like MUSES it is typical for graduate students to graduate and accept postdoc positions at another university, or for a postdoc to accept a new faculty position at another university or join a national lab. When this happens, the researcher is often unable to authenticate using their old institution account because it has been closed.
Fortunately our authentication system is robust to such changes and you can switch IdPs seamlessly; however, you must first coordinate with a MUSES admin prior to logging in with your new IdP. Here’s how it works:
Send your new email address that is associated with your new IdP to an admin, along with the name of your new institution. (If your original username was your old email address, you may want to change that as well.)
Behind the scenes in Keycloak, the admin will unlink your MUSES account from the old IdP and update your email (and username if desired). The admin may also need to add the new institution to the list of enabled IdPs for CILogon.
When the admin says it is ready, you will attempt to log in to a MUSES service like the forum using your new IdP. CILogon will then present one or two dialogs where you can update your account info and confirm that you want to add to an existing account.
If you update your info this way, please use your first.lastname as the username (e.g.
jane.doeor something similar).
You should receive a confirmation email to finalize the linking of the new IdP to your existing account.
If this process works as expected, the MUSES services should behave exactly as they did before with your preferences and local application-level accounts unaffected.