CAIDA Single Sign On (SSO)

The CAIDA Single Sign On system grants users access to multiple CAIDA web services (e.g., web pages, APIs, and file servers) with a single logon. To use any service that is protected by CAIDA SSO, you must first create an account. For some services, that is all you will need; for others, you must then request additional permissions. See the documentation for the individual service for information on requesting additional permissions.

Create an account

To create an account with CAIDA SSO, just visit the page you are trying to access, or Account Management, or any other page protected by CAIDA SSO. When prompted to login, follow the Register link.

Some CAIDA services are available only to users at academic or other specific institutions. When registering, please use your email address at your institution, not a generic address like gmail, if you plan to request access to any of these restricted services.

Once you have an account, you can visit Account Management to edit your personal information, change your password, etc.

Using a Protected Service in a Web Browser

To use a CAIDA service in web browser, just visit the URL normally. You will be prompted to login if needed.

To log out of all protected CAIDA services, use the “log out” or “sign out” link from any protected web page. Some services (APIs in particular) may not have web pages as such, but you can always log out here or from Account Management.

Using a Protected Service from an External Program

Some CAIDA services, usually APIs and file servers, are designed to be accessed by external programs other than a web browser.

Services protected with CAIDA SSO use the OpenID Connect (OIDC) protocol for authorization.

Get OIDC tokens

Before your external program can access a protected service, you will need to get OIDC Refresh and Access tokens. There are several ways to do this:

  • Most services that are designed to be accessed by external programs have a page at {service_base_url}/offline/token where you can download an OIDC token file in a browser.
  • Install the CAIDA OIDC client and use the command get_oidc_token [--offline] $client_id to download an OIDC token file. (See the documentation for the individual service to find the necessary value for $client_id).

By default, the tokens obtained by get_oidc_token will be invalidated when you log out, when you idle for more than 30 minutes, or after 10 hours, whichever comes first. But adding the --offline option will request offline tokens, which remain valid even after you have logged out with your web browser. Usually, the offline tokens will expire if not used within 30 days of issue, but once used, will remain valid indefinitely, until explicitly revoked. (Note: the time limits described here are typical, but individual services may set different limits.)

Anyone who has a copy of the tokens will be able to access the service as you, so do not share them with anyone. This is especially important for offline tokens, which never expire. If there is a chance someone else has obtained a copy of your offline tokens, or you are just done using them, you should revoke them by finding the service in your list of applications and selecting “Remove access”. This will revoke all of your existing OIDC offline tokens for that service. You can always create new tokens later if needed.

Access the service

Once you have an OIDC token file, there are several ways to access a protected service:

  • The easiest way is to install the CAIDA OIDC client and use the oidc_query command.
  • Use the code for oidc_query in the CAIDA OIDC client as a starting point to write your own Python client
  • Use the access token and refresh token contained in the OIDC token file with any OIDC client implementation. Some parameters you may need:
    • OIDC token endpoint:
    • OIDC discovery endpoint: