Three horizontal lines stacked

Documentation

Introduction

Earthdata Login provides users with Single-Sign-On (SSO) access to Earthdata applications. The SSO capability enables a Earthdata Login registered user to log in to Earthdata Login once, and access multiple Earthdata Login-integrated EOSDIS applications without being prompted to authenticate for each application separately.

The SSO capability in Earthdata Login is implemented using the OAuth 2 protocols. The following conditions are required for the Earthdata Login SSO capability to work.

(1) The user must be a registered Earthdata Login user.

(2) The EOSDIS applications that the user accesses are registered with Earthdata Login and are capable of using Earthdata Login for user authentication

(3) Earthdata Login serves as the single Identity Provider for authenticating the user and the application being accessed.

In the following scenarios, we provide a high level description of what a user will experience when a user accesses a Earthdata Login-integrated EOSDIS application.

Scenario 1: User Accesses a Earthdata Login-integrated EOSDIS Application

  1. When a user accesses data or services offered by a Earthdata Login-integrated EOSDIS application, the user is required to log into Earthdata Login first if he/she has not previously logged into Earthdata Login. Typically, the application provides a log-in button, when clicked by the user, directs the user to a Earthdata Login-provided log-in page to log in.
  2. The user enters his/her log-in credentials to log into Earthdata Login.
  3. After the user has been successfully authenticated by Earthdata Login, the user is prompted to authorize the application to access his/her user profile if this is the first time the user accesses the application and had not previously authorized the application to access his/her user profile. (See Note 1 below).
  4. Upon authorization granted by the user, the user is then re-directed back to the application.
  5. With the explicit authorization given by the user, and subsequent, behind-the-scene interactions that occur between Earthdata Login and the application, the application is able to obtain the user profile information (user ID, email address, etc.) from Earthdata Login using a temporary access token issued by Earthdata Login. The access token used is only valid for the specific user and application.
  6. With the user profile information obtained from Earthdata Login, the application can then serve the user according to the access privileges granted to the user within the application. (See Note 2 below).

Notes:

  1. If the user had accessed the application previously and had authorized it for user profile access, the application will be authorized automatically, without prompting the user to authorize the application again. Earthdata Login keeps track of all applications the user had authorized. The user can always log into Earthdata Login and revoke the authorization previously given to an application if the user so desires. In this sense, the user has control over which application(s) to expose or not expose his user profile to.
  2. Note that the application is responsible for granting and maintaining user access privileges on the data and services that it offers; Earthdata Login does not maintain such information.

Scenario 2: User Accesses a Second Earthdata Login-integrated EOSDIS Application

If the user has already logged into Earthdata Login when he/she accesses a second application, the user will be directed to the Earthdata Login by the second application, but this time, the user will not be prompted to log into Earthdata Login since the user is already logged in. Instead, the user will be prompted to authorize the new application to access his/her user profile, if this happens to be the first time the user accesses the application. If the user had previously authorized the application for profile access, the application will be authorized automatically, without having the user to authorize the application again. The user is then re-directed back to the application.

The rest of the authentication flow is identical to the process flow described in Scenario 1 above, Steps 5 and 6.

Benefits

Below are some of the benefits of the Earthdata Login SSO capability:

  1. The user need only be a registered user with Earthdata Login and does not need to set up and maintain separate user profiles with different applications, thereby simplifying user profile management.
  2. The user always logs in at the Earthdata Login-provided log-in page. The user password is not transmitted or exposed to the application during a user authentication process.
  3. The user has control over whether or not to authorize an application to access his/her profile information. The application can access the user profile information only with the explicit authorization granted by the user.
  4. Since the user authentication is performed by the single Identity Provider, Earthdata Login, the user will not be prompted to log in again when the user accesses another Earthdata Login-integrated application after he/she has already logged in to Earthdata Login, thereby achieving single-sign-on access to multiple applications.

Check out Earthdata Login OAuth/SSO Client Implementation for information on integrating client applications with Earthdata Login.