Authentication overview

The University of Oslo (UiO) employs a robust authentication framework designed to secure access to its diverse range of digital services and resources. This framework primarily relies on Feide, the Norwegian national identity management solution for the education and research sector. Feide acts as a centralized authentication broker, allowing users to log in once to access multiple services without re-entering credentials for each application. This approach streamlines user experience while enforcing consistent security policies across the university's digital landscape.

UiO's authentication system supports various user types, including students, employees, and external collaborators. The choice of authentication method often depends on the user's affiliation and the specific service being accessed. The underlying protocols, such as Security Assertion Markup Language (SAML) 2.0 and OpenID Connect, facilitate secure communication between the user's identity provider (IdP) and the service provider (SP) (OpenID Connect specifications).

The authentication infrastructure is continuously updated to incorporate modern security practices, including multi-factor authentication (MFA) and compliance with relevant data protection regulations. The goal is to provide a secure, reliable, and user-friendly experience for all individuals accessing UiO's digital ecosystem.

Supported authentication methods

The University of Oslo supports several authentication methods, each tailored to different user roles and access requirements. The primary method for most users is Feide, which itself supports various underlying credential types and security features. For specialized applications or external integrations, alternative methods may be available.

Method When to Use Security Level
Feide (Username/Password) Standard access for students and employees to most UiO systems (e.g., Canvas, email, studentweb). High (with MFA option)
Feide (MFA via SMS/App) Recommended for all users, particularly for sensitive systems and remote access. Enabled within Feide settings. Very High
eduGAIN For researchers and staff from other academic institutions participating in the international eduGAIN interfederation. High
Guest Accounts Temporary access for external visitors or collaborators to specific services, often time-limited. Medium (service-dependent)
API Keys/Tokens For programmatic access to specific services or custom integrations, managed by service administrators. Variable (service-dependent, requires careful management)

Feide Authentication

Feide serves as the central identity provider for UiO. When a user attempts to access a UiO service, they are redirected to the Feide login page. Here, they enter their UiO username and password. Feide then verifies these credentials against the university's identity management system. Upon successful authentication, Feide issues a secure token (e.g., a SAML assertion or OpenID Connect ID token) back to the service, granting the user access without exposing their credentials directly to the service provider.

Feide also supports multi-factor authentication. Users can enable MFA using SMS codes, authentication apps (like Google Authenticator or Microsoft Authenticator), or other supported methods. This adds an extra layer of security by requiring a second verification step beyond just the password (FIDO Alliance standards for strong authentication).

eduGAIN and Federated Access

For users from other academic institutions that are part of the eduGAIN interfederation, UiO supports federated login. This allows researchers and staff to use their home institution's credentials to access UiO resources, facilitating international collaboration without requiring separate UiO accounts. The process involves a trust relationship between the user's home institution's identity provider and UiO's service providers, mediated by eduGAIN.

API Key/Token Authentication

Certain specialized UiO services or custom applications may utilize API keys or access tokens for programmatic authentication. These are typically issued for machine-to-machine communication or for integrations where a full user login flow is not appropriate. API keys are long, randomly generated strings that identify a calling application or user. Access tokens, often short-lived JSON Web Tokens (JWTs), are commonly used in OAuth 2.0 flows to grant specific permissions to client applications.

Getting your credentials

The process for obtaining and managing your University of Oslo authentication credentials varies depending on your affiliation:

For Students

  1. Initial Account Creation: Upon admission, new students receive an activation link or instructions to set up their UiO user account. This typically involves creating a username and password through a secure registration portal.
  2. Feide Integration: Once your UiO account is active, it is automatically linked to Feide. Your UiO username and password become your Feide credentials for accessing university services.
  3. Password Management: Passwords can be changed or reset through the dedicated UiO password portal, accessible via the university's IT support pages.

For Employees

  1. Account Provisioning: New employees' accounts are typically provisioned by their hiring department in collaboration with UiO IT. You will receive information on how to activate your account and set your initial password.
  2. Feide Integration: Similar to students, employee accounts are integrated with Feide, allowing the use of UiO credentials for Feide-enabled services.
  3. Password Management: Employees can manage their passwords through the UiO password portal. Strong password policies are enforced, often requiring a combination of uppercase, lowercase, numbers, and special characters.

For Guest Accounts and External Collaborators

  1. Sponsorship: Guest accounts usually require sponsorship by a UiO employee. The sponsor initiates the request through an internal portal, specifying the guest's details and required access period.
  2. Credential Delivery: Once approved, guests receive their login credentials (username and temporary password) via email or directly from their UiO sponsor.

For API Keys/Tokens

If you require an API key or access token for a specific UiO service or application, you must typically:

  1. Contact the administrator or technical support team for the specific service you wish to integrate with.
  2. Provide details about your application, its purpose, and the type of access required.
  3. Follow the service-specific process for key generation and management, which may involve an application form or direct issuance.

Authenticated request example

While the University of Oslo does not offer a single, unified public API with a universal authentication scheme, an authenticated request example can illustrate common patterns for services that use API keys or token-based authentication. This example assumes a hypothetical UiO service that requires an API key in the Authorization header.

Using an API Key (Hypothetical Service)

For a service requiring an API key, the key is typically sent in an HTTP header, often the Authorization header, or sometimes as a query parameter. The following example demonstrates sending an API key in the Authorization header with a Bearer scheme, which is common for token-based authentication:

GET /api/v1/data/course_info HTTP/1.1
Host: api.uio.no
Authorization: Bearer YOUR_API_KEY_OR_TOKEN
Content-Type: application/json

In this example:

  • YOUR_API_KEY_OR_TOKEN must be replaced with the actual API key or access token provided for your application.
  • The Bearer scheme is a standard method for sending opaque access tokens (OAuth 2.0 Bearer Token Usage).

Using cURL for an API Key Request

You can make this request using a command-line tool like cURL:

curl -X GET \
  -H "Authorization: Bearer YOUR_API_KEY_OR_TOKEN" \
  -H "Content-Type: application/json" \
  https://api.uio.no/api/v1/data/course_info

Feide-Authenticated Web Applications

For web applications protected by Feide, the authentication process is handled by redirects and session cookies, typically abstracted away from the developer or end-user making direct HTTP requests. When a user accesses a Feide-protected resource, they are redirected to Feide for login. Upon successful authentication, Feide redirects the user back to the application with an assertion, and the application establishes a session. Subsequent requests within that session are authenticated via session cookies.

Security best practices

Adhering to security best practices is crucial for protecting your University of Oslo account and the university's digital assets. Both individual users and developers integrating with UiO services have responsibilities in maintaining a secure environment.

For All Users (Students, Employees, Guests)

  1. Enable Multi-Factor Authentication (MFA): Always activate MFA for your Feide account. This significantly reduces the risk of unauthorized access, even if your password is compromised.
  2. Use Strong, Unique Passwords: Create complex passwords that are difficult to guess and different from passwords used for other services. Avoid using personal information.
  3. Never Share Credentials: Your username and password are for your exclusive use. Do not share them with anyone, including colleagues or IT support. UiO IT will never ask for your password via email or phone.
  4. Be Wary of Phishing: Exercise extreme caution with emails or messages requesting your login credentials or directing you to suspicious login pages. Verify the sender and URL before clicking links or entering information.
  5. Log Out After Use: Always log out of university systems, especially when using public or shared computers.
  6. Keep Software Updated: Ensure your operating system, web browser, and antivirus software are up to date to protect against known vulnerabilities.

For Developers and Service Integrators

  1. Secure API Keys/Tokens: If using API keys or access tokens, treat them as sensitive credentials.
    • Do not hardcode keys: Store them in environment variables, secure configuration files, or a secrets management service, not directly in your source code.
    • Restrict access: Limit who can access and use API keys.
    • Rotate keys: Regularly rotate API keys to minimize the impact of a compromised key.
    • Use least privilege: Ensure that API keys or tokens only have the minimum necessary permissions to perform their intended function.
  2. Implement HTTPS/TLS: Always use HTTPS for all communication with UiO services to encrypt data in transit and prevent eavesdropping.
  3. Validate and Sanitize Inputs: Strictly validate and sanitize all data received from external sources to prevent injection attacks and other vulnerabilities.
  4. Error Handling: Implement secure error handling that does not reveal sensitive system information or stack traces to users.
  5. Session Management: For web applications, implement secure session management, including proper session expiration, secure cookie flags (HttpOnly, Secure, SameSite), and regeneration of session IDs after authentication.
  6. Regular Security Audits: Conduct regular security audits and penetration testing of your applications to identify and remediate vulnerabilities.
  7. Stay Informed: Keep abreast of the latest security threats and best practices in application security.

By following these guidelines, users and developers contribute to a more secure digital environment at the University of Oslo, protecting personal data and academic resources.