ACCESS InCommon Identity Provider

The ACCESS InCommon Identity Provider (IdP) at idp.access-ci.org allows ACCESS users to sign in to web sites that are part of the InCommon Federation (including ACCESS web sites) using their ACCESS accounts. This capability is especially useful for users who do not have an existing InCommon IdP provided by their home institution.

When signing in to a service that supports InCommon IdPs, first try using your home institution’s IdP. If that option isn’t available, choose ACCESS from the list of IdPs to sign in with your ACCESS account. Your web browser will be redirected to idp.access-ci.org to complete the sign-in operation. The ACCESS IdP will prompt for Duo authentication. If you are not enrolled with Duo, you will be prompted to set up Duo. As always, you should only enter your ACCESS password on xsede.org sites.

The ACCESS IdP implements optional single sign-on (SSO), meaning that if you have already authenticated at idp.access-ci.org recently, you will not be prompted again for your password. To disable SSO for idp.access-ci.org, check the “Don’t Remember Login” checkbox so that you will be prompted to sign in next time. If you did not check the “Don’t Remember Login” checkbox and would like to be prompted to sign in to idp.access-ci.org, you can do so by clearing your browser cookies for idp.access-ci.org.

The ACCESS IdP conforms to the standards set by the REFEDS Research and Scholarship and REFEDS Security Incident Response Trust Framework for Federated Identity for global interoperability.

The ACCESS IdP releases the following Research & Scholarship (R&S) attributes to all Service Providers (SPs):

  • eduPersonPrincipalName (ePPN)
  • eduPersonTargetedID (ePTID)
  • eduPersonAssurance
  • displayName
  • givenName
  • sn (surName)
  • mail

See InCommon Federation Attribute Overview for more information.

CILogon

ACCESS relies on identity management services provided by CILogon. Please see the CILogon privacy policy for details.

This site is maintained by CILogon for ACCESS.

This material is based upon work supported by the National Science Foundation under Grant No. 2138307. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Google Tag Manager

We may collect information such as how the Service is used, and how and what tags are deployed. We may use this data to improve, maintain, protect and develop the Portal, but we will not share this data without your consent.

In order to monitor and provide diagnostics about system stability, performance, and installation quality, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data noted above, Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited. Learn more about our use of Google Tag Manager data in Google's terms of service for details.

Google reCAPTCHA Privacy Policy

Our primary goal is to provide you an experience on our website that is as secure and protected as possible. To do this, we use Google reCAPTCHA from Google Inc. (1600 Amphitheater Parkway Mountain View, CA 94043, USA). With reCAPTCHA we can determine whether you are a real person from flesh and bones, and not a robot or a spam software. By spam we mean any electronically undesirable information we receive involuntarily. Classic CAPTCHAS usually needed you to solve text or picture puzzles to check. But thanks to Google’s reCAPTCHA you usually do have to do such puzzles. Most of the times it is enough to simply tick a box and confirm you are not a bot. With the new Invisible reCAPTCHA version you don’t even have to tick a box. In this privacy policy you will find out how exactly this works, and what data is used for it.

What is reCAPTCHA?

reCAPTCHA is a free captcha service from Google that protects websites from spam software and misuse by non-human visitors. This service is used the most when you fill out forms on the Internet. A captcha service is a type of automatic Turing-test that is designed to ensure specific actions on the Internet are done by human beings and not bots. During the classic Turing-test (named after computer scientist Alan Turing), a person differentiates between bot and human. With Captchas, a computer or software program does the same. Classic captchas function with small tasks that are easy to solve for humans but provide considerable difficulties to machines. With reCAPTCHA, you no longer must actively solve puzzles. The tool uses modern risk techniques to distinguish people from bots. The only thing you must do there, is to tick the text field “I am not a robot”. However, with Invisible reCAPTCHA even that is no longer necessary. reCAPTCHA, integrates a JavaScript element into the source text, after which the tool then runs in the background and analyses your user behaviour. The software calculates a so-called captcha score from your user actions. Google uses this score to calculate the likelihood of you being a human, before entering the captcha. reCAPTCHA and Captchas in general are used every time bots could manipulate or misuse certain actions (such as registrations, surveys, etc.).

Why do we use reCAPTCHA on our website?

We only want to welcome people from flesh and bones on our side and want bots or spam software of all kinds to stay away. Therefore, we are doing everything we can to stay protected and to offer you the highest possible user friendliness. For this reason, we use Google reCAPTCHA from Google. Thus, we can be pretty sure that we will remain a “bot-free” website. Using reCAPTCHA, data is transmitted to Google to determine whether you genuinely are human. reCAPTCHA thus ensures our website’s and subsequently your security. Without reCAPTCHA it could e.g. happen that a bot would register as many email addresses as possible when registering, in order to subsequently “spam” forums or blogs with unwanted advertising content. With reCAPTCHA we can avoid such bot attacks.

What data is stored by reCAPTCHA?

reCAPTCHA collects personal user data to determine whether the actions on our website are made by people. Thus, IP addresses and other data Google needs for its reCAPTCHA service, may be sent to Google. Within member states of the European Economic Area, IP addresses are almost always compressed before the data makes its way to a server in the USA.
Moreover, your IP address will not be combined with any other of Google’s data, unless you are logged into your Google account while using reCAPTCHA. Firstly, the reCAPTCHA algorithm checks whether Google cookies from other Google services (YouTube, Gmail, etc.) have already been placed in your browser. Then reCAPTCHA sets an additional cookie in your browser and takes a snapshot of your browser window.

The following list of collected browser and user data is not exhaustive. Rather, it provides examples of data, which to our knowledge, is processed by Google.

  • Referrer URL (the address of the page the visitor has come from)
  • IP-address (z.B. 256.123.123.1)
  • Information on the operating system (the software that enables the operation of your computers. Popular operating systems are Windows, Mac OS X or Linux)
  • Cookies (small text files that save data in your browser)
  • Mouse and keyboard behaviour (every action you take with your mouse or keyboard is stored)
  • Date and language settings (the language and date you have set on your PC is saved)
  • All Javascript objects (JavaScript is a programming language that allows websites to adapt to the user. JavaScript objects can collect all kinds of data under one name)
  • Screen resolution (shows how many pixels the image display consists of)

Google may use and analyse this data even before you click on the “I am not a robot” checkmark. In the Invisible reCAPTCHA version, there is no need to even tick at all, as the entire recognition process runs in the background. Moreover, Google have not given details on what information and how much data they retain.

How long and where are the data stored?

Due to the integration of reCAPTCHA, your data will be transferred to the Google server. Google have not disclosed where exactly this data is stored, despite repeated inquiries. But even without confirmation from Google, it can be assumed that data such as mouse interaction, length of stay on a website or language settings are stored on the European or American Google servers. The IP address that your browser transmits to Google does generally not get merged with other Google data from the company’s other services.
However, the data will be merged if you are logged in to your Google account while using the reCAPTCHA plug-in. Google’s diverging privacy policy applies for this.

How can I delete my data or prevent data storage?

If you want to prevent any data about you and your behaviour to be transmitted to Google, you must fully log out of Google and delete all Google cookies before visiting our website or use the reCAPTCHA software. Generally, the data is automatically sent to Google as soon as you visit our website. To delete this data, you must contact Google Support at https://support.google.com/?hl=en-GB&tid=111401120.

If you use our website, you agree that Google LLC and its representatives automatically collect, edit and use data.

You can find out more about reCAPTCHA on Google’s Developers page at https://developers.google.com/recaptcha/. While Google do give more detail on the technical development of reCAPTCHA there, they have not disclosed precise information about data retention and data protection. A good, basic overview of the use of data however, can be found in the company’s internal privacy policy at https://policies.google.com/privacy?hl=en-GB.