OpenID Connect at CSAIL

As of July 1, 2018, CSAIL will longer use client-side web certificates for authentication to web applications and sites.

If you’ve been around MIT - more especially at CSAIL - for a while, you have probably become accustomed to using “web certificates” as a way to log yourself into the various Web-based applications around campus, like Atlas, Peeps, and many other popular sites. MIT adopted the use of web certificates in 1996 to allow its community a way to log into many different sites without having to remember a username and password for each site.

Fast forward a decade or so, and a new kind of central login method was adopted at MIT: Touchstone, which not only allowed users to use web certificates, but also allowed them to use their Athena username and password, or even existing Kerberos tickets (see for more info).

Fast forward another decade, and CSAIL has adopted the next generation login system: OpenID Connect, or OIDC. MIT central campus also has a pilot program for OIDC; however, they are less motivated to get it integrated into campus applications because they already have Touchstone. CSAIL has been highly motivated to roll out OIDC because in the very near future, major web browser vendors like Mozilla and Google will end support for web certificate authentication in their browsers. In fact, OIDC at CSAIL has replaced web certificates entirely for client authentication.

On May 2, 2016 GarrettWollman gave a presentation (pdf slides here) on the situation, which was followed by an open half-hour discussion.

What is OpenID Connect?

There’s a technical description of OIDC you can read at if you want to know all the details, but in short, OIDC is a service that we run at CSAIL on our own servers that allows you to authenticate to services like WebDNS, DHREG, the CSAIL website, and many more, by using your CSAIL Kerberos account.

You no longer need to obtain certificates every year or worry about which one(s) you have in your browser. You can also use pretty much all the modern browsers.

Using OpenID Connect

Most of the time, OIDC is relatively transparent to you. You will use OIDC when you visit a secure CSAIL website that previously used CSAIL certificates. When you first visit a secure CSAIL website, you are temporarily redirected to the OIDC server.[1] There you will simply enter your CSAIL username and password and click “Login”. You are then returned and logged into the secured website.

OIDC for developers and web admins

If you are the administrator of a CSAIL website that currently uses CSAIL certificates, this is how to transition your current CSAIL Certificate authenticated website to OIDC. Websites and services that are not transitioned by the July 1st expiration will fail closed.

See Restricting access with OIDC and .htaccess on CSAIL webservers

Configuring browsers to use Kerberos (advanced)

If you're on a system where you regularly get CSAIL Kerberos tickets already -- like a CSAIL Ubuntu workstation -- then you may find it convenient to use your existing tickets to log in to authenticate.


Firefox supports this out of the box, but it requires a bit of extra configuration. You'll need to go to about:config (if you haven't done this before, Firefox will ask you if you really want to) and set the preference network.negotiate-auth.trusted-uris to as shown in the example below: firefox-negotiate.png

If your system is particularly weird, you might also have to set network.negotiate-auth.using-native-gsslib and/or network.negotiate-auth.gsslib -- ask TIG to help you with these settings if just setting trusted-uris doesn't work.

Note: We haven't found a way to make Firefox use Kerberos on Windows reliably. The procedure described above works for Firefox on other operating systems with official Firefox binary packages.


Whether Safari supports Kerberos authentication depends on the version of macOS and Safari you have. Kerberos login to OIDC has been confirmed to work automatically in Safari 10.1 on Yosemite and newer macOS releases, with no special configuration.

Chromium/Google Chrome

As with Firefox, Chrome requires that domains be explicitly permitted to use Kerberos authentication. Furthermore, on Windows, Chrome uses the system SSPI libraries and not the MIT Kerberos for Windows or AuriStor? Heimdal libraries which you may already have installed. How to configure Chrome policies unfortunately also varies across the three platforms.

Internet Explorer and Edge

We haven't tried this yet, and we're not sure that it will work at all unless you are using a machine joined to the AD.CSAIL.MIT.EDU Windows domain.

[1] Your first time authenticating to a webserver, you will first will need to authorize it. You will only need to do this once per webserver. For example, after authorizing the first time, any website on will not require authorization.

Topic attachments
I Attachment Action Size DateSorted descending Who Comment
firefox-negotiate.pngpng firefox-negotiate.png manage 28.9 K 05 Oct 2017 - 02:46 GarrettWollman Screenshot of Firefox about:config settings for Kerberos authentication
May_2_OIDC_presentation.key.pdfpdf May_2_OIDC_presentation.key.pdf manage 129.4 K 02 May 2016 - 21:29 GarrettWollman slides from 2016-05-02 presentation
Topic revision: 11 Jun 2018, JasonDorfman

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology