• I forgot my password or lost my login key. How should I proceed?

  Follow the instructions at https://www.vut.cz/cis/navody/vut-login.

• Why did the Apollo login dialog have to change?

  This is a long-term process of migrating individual VUT systems to a unified authentication environment. Support for logging into Apollo via unified login has been available since the beginning of 2025 as an alternative option. From February 2026, the unified login method will be the primary one. However, the original login method will remain available for a limited time under the arrow next to the database selection field.

• What does the change in the login dialog mean for me?

  There are no restrictions associated with the change of the Apollo login dialog. On the contrary, thanks to this change, you will get better integration of Apollo with VUT web applications and you will not have to log in to each part of VUTIS separately.

• Why is the option to log in to Apollo using the original dialog still preserved?

  Connecting Apollo to the unified login system is a technically relatively complicated matter, which, despite extensive testing and a long trial operation, may in specific and exceptional cases require the original login method. For these extraordinary situations, the original login method remains available.

• When working with internal applications (Intraportal, Studis, Teacher, etc.), I feel like I have to log in too often.

  Although individual parts of VUTIS are connected to the unified login system, each module has a timer set for security reasons that forces a re-login after 4 hours of inactivity in the respective module/application. Each application/module counts inactivity time separately. In practice, this means that, for example, activity in the Teacher application does not extend the inactivity timer in Intraportal, and if you return to work in Intraportal after **4 hours** of inactivity, you will be prompted to log in again.

  The necessity of repeated verification after a certain period of inactivity is an obligation resulting from the Decree on Cybersecurity (and related decrees), which applies in particular to those parts of the IS where actions related to the exercise of public authority are performed.

  If you use multi-factor authentication and confirm during login that you are working on your own device (option "device is intended exclusively for you"), the validity of your login will be extended to **72 hours**. (Note: This function is being introduced to the VUTIS system gradually and may not be available in all modules yet.)

• After logging in, I am offered a dialog allowing confirmation that I am on my own/trusted device. What is its significance?

  If no one else works on the device and it is simultaneously secured by other elements, you can increase your work comfort by approving this dialog, extending the time you remain logged in on the device without the need to re-enter authentication credentials. The default time for re-entering authentication credentials increases to 72 hours.

  Use this option only if the device is secured by other elements such as automatic screen locking after a certain period of inactivity.
  
  

• What technologies is the authentication infrastructure built on?

  The authentication infrastructure is developed internally with an emphasis on using proven Open Source components. The entire system runs on PHP and Nette Framework, using Composer for dependency management. Key libraries ensuring login include SimpleSAMLphp and thephpleague/oauth2-server.
  Data is stored in the Oracle system (as in the entire VUTIS), while high availability and robustness are ensured by the Redis in-memory database. The system core is released under the GPL license and is publicly available on GitHub.

Multi-factor authentication represents a key security element protecting the account from misuse. Setting up multi-factor authentication will also bring you increased comfort when working in the VUTIS environment. These are the following benefits:

• You will be able to fully utilize authentication mechanisms based on biometric verification, such as Windows Hello or FaceID.
• The period for regular password change is extended from 18 months to 5 years.
• The "I am on my/trusted device" dialog, which extends the time for re-entering login credentials.
• It is a legal requirement resulting from the Act on Cybersecurity and related decrees (Decree No. 409/2025 Coll.).

Below you will find an overview of supported multi-factor authentication methods and recommendations for their use.

• Where can I set up account security via multi-factor authentication?

  In the My Account application at https://id.vut.cz/my-account/mfa

• Which multi-factor authentication method should I use?

  We primarily recommend using security via biometric verification or security keys, i.e., methods based on the WebAuthn standard. This is the most comfortable and secure authentication method. However, currently not all devices support this method, so it is necessary to also have a method based on one-time codes (TOTP) set up.

  We recommend using biometric verification or USB keys as the primary security method and TOTP verification codes as a backup method.

• Which application should I use for verification codes?

  The verification code mechanism is based on the RFC 6238 standard, so it is possible to use any application supporting this standard. Examples of such applications are Microsoft Authenticator or Google Authenticator.

• Multi-factor authentication settings are not available to me - where is the problem?

  The option of multi-factor authentication is being gradually activated at https://id.vut.cz/my-account/mfa for individual faculties and components during the first half of 2026. A condition for activation is the designation of persons responsible for the administration of authentication means at the respective faculty or component.

Technically, the VUT authentication infrastructure is implemented over the OpenID Connect/OAuth 2.0 standard. In case it is not possible to use the OpenID Connect/OAuth standard, the SAML 2 protocol can be used alternatively.

• Where can I find configuration data for connecting my own system or application?

  OpenID Connect/OAuth2 - configuration data
  Configuration data is available at

  https://id.vut.cz/auth/.well-known/openid-configuration

  We strongly recommend implementing dynamic loading of endpoint addresses for OIDC/OAuth2 (for custom implementations) from metadata and automatic downloading of public keys when using ID Token from OIDC

• Is there a sample integration implementation?

  Yes, CIS has prepared a sample PHP client (SP) to simplify the connection of PHP applications to the authentication service.

• How to proceed to connect my own system or application?

  Connecting an application is a service of the Infrastructure Department according to the catalog of services. It is necessary to request the inclusion of the application via the request system. For most cases of application connection, it is possible to use the pre-approved cover sheet and approval of the request by the relevant system integrator or faculty network administrator is sufficient. Always state the following in the request:

  • application name (under this name, the application will appear in the login overview),
  • requested scope of passed attributes (scopes) according to the supported list and description,
  • application address (URL) for redirection after successful authentication (redirect_uri).

• When connecting an external application to unified login, we would need a suitable unique person identifier; which is the most suitable to use?

  In general terms, for person identification, we recommend using the numerical person identifier - VUT personal number (internally referred to as PER_ID). It is a numerical person identifier assigned to all students, employees, external workers, and others upon first contact with VUT. The identifier remains unchanged regardless of changes in surname, gender, or other parameters. Each physical person has exactly one VUT personal number assigned.

  We strongly advise against using an e-mail address for person identification, as this identifier can change repeatedly during the existence of the account.

• Is it possible to use connection via SAML2, where can I find the relevant metadata?

  If it is not possible to use the OIDC standard, it is possible to use connection via the SAML2 standard. All data is available in the metadata file (https://id.vut.cz/saml/.well-known/metadata.xml). Passed attributes can be verified via the service https://attributes.eduid.cz/.