Recommendations for secure login

Logging on to a service that uses federated authentication typically follows the following scenario: 

1. The user selects his/her home institution (JDU, PL: UJD) from the list 
2. The service page redirects to the website of the JDU Central Login Point  
3. The user logs in at the JDU Central Login Point 
4. The JDU Central Login Point shows a question about consent to transfer the attributes required by the Service to the Service. 
5. If the user agrees, they are redirected to the Service and are logged in, if they do not agree, logging in does not take place. 

If the user has already logged in to the JDU Central Login Point, points 2 and 3 will be executed automatically. 

The user should always confirm the authenticity of the JDU Central Login Point website by checking that the address shown in the browser starts with https://login.ujd.edu.pl and the browser shows the symbol of a secure connection. If the website address is different, it means an attempt at forgery and under no circumstances should the user log in to such a website, but report the whole matter to the JDU administrators. 

Using external services that call the UJD login page is fraught with a potential risk. The fake service can redirect the user to a fake login page and thus phish their ID and password. 

A way to guarantee high security is to pre-log in to the JDU Central Login Point. Until the user logs out or closes their browser, they should be automatically allowed to access all services available to them. In such a situation, the appearance of the login page should be treated as an alarm signal. The service may request the user to sign in again, but this is unusual. It is therefore essential to check the authenticity of the login page.