Earthdata Login provides users with Single-Sign-On (SSO) access to Earthdata applications. The SSO capability enables a Earthdata Login
registered user to log in to Earthdata Login once, and access multiple Earthdata Login-integrated EOSDIS applications without being
prompted to authenticate for each application separately.
The SSO capability in Earthdata Login is implemented using the
OAuth 2 protocols. The following conditions
are required for the Earthdata Login SSO capability to work.
(1) The user must be a registered Earthdata Login user.
(2) The EOSDIS applications that the user accesses are registered with Earthdata Login and are
capable of using Earthdata Login for user authentication
(3) Earthdata Login serves as the single Identity Provider for authenticating the user and the
application being accessed.
In the following scenarios, we provide a high level description of what a user will experience when a user
accesses a Earthdata Login-integrated EOSDIS application.
Scenario 1: User Accesses a
Earthdata Login-integrated EOSDIS Application
When a user accesses data or services offered by a Earthdata Login-integrated EOSDIS application, the user is required to
log into Earthdata Login first if he/she has not previously logged into Earthdata Login. Typically, the application provides a log-in
button, when clicked by the user, directs the user to a Earthdata Login-provided log-in page to log in.
The user enters his/her log-in credentials to log into Earthdata Login.
After the user has been successfully authenticated by Earthdata Login, the user is prompted to authorize the application
to access his/her user profile if this is the first time the user accesses the application and had not
previously authorized the application to access his/her user profile. (See Note 1 below).
Upon authorization granted by the user, the user is then re-directed back to the application.
With the explicit authorization given by the user, and subsequent, behind-the-scene interactions that occur
between Earthdata Login and the application, the application is able to obtain the user profile information (user ID, email
address, etc.) from Earthdata Login using a temporary access token issued by Earthdata Login. The access token used is only valid for
the specific user and application.
With the user profile information obtained from Earthdata Login, the application can then serve the user according to the
access privileges granted to the user within the application. (See Note 2 below).
If the user had accessed the application previously and had authorized it for user profile access, the
application will be authorized automatically, without prompting the user to authorize the application again.
Earthdata Login keeps track of all applications the user had authorized. The user can always log into Earthdata Login and revoke the
authorization previously given to an application if the user so desires. In this sense, the user has control
over which application(s) to expose or not expose his user profile to.
Note that the application is responsible for granting and maintaining user access privileges on the data and
services that it offers; Earthdata Login does not maintain such information.
Scenario 2: User Accesses a
Second Earthdata Login-integrated EOSDIS Application
If the user has already logged into Earthdata Login when he/she accesses a second application, the user will be directed to
the Earthdata Login by the second application, but this time, the user will not be prompted to log into Earthdata Login since the user
is already logged in. Instead, the user will be prompted to authorize the new application to access his/her user
profile, if this happens to be the first time the user accesses the application. If the user had previously
authorized the application for profile access, the application will be authorized automatically, without having
the user to authorize the application again. The user is then re-directed back to the application.
The rest of the authentication flow is identical to the process flow described in Scenario 1 above, Steps 5 and
Below are some of the benefits of the Earthdata Login SSO capability:
The user need only be a registered user with Earthdata Login and does not need to set up and maintain separate user
profiles with different applications, thereby simplifying user profile management.
The user always logs in at the Earthdata Login-provided log-in page. The user password is not transmitted or exposed to
the application during a user authentication process.
The user has control over whether or not to authorize an application to access his/her profile information.
The application can access the user profile information only with the explicit authorization granted by the
Since the user authentication is performed by the single Identity Provider, Earthdata Login, the user will not be
prompted to log in again when the user accesses another Earthdata Login-integrated application after he/she has already
logged in to Earthdata Login, thereby achieving single-sign-on access to multiple applications.