2024 SLAC Authentication Transition Documentation.

SLAC has changed how we authenticate into web applications such as SLAC Confluence and PubDB. Starting Monday, November 4, 2024 at 6a Pacific, all will be required to used federated login to access SLAC Confluence and PubDB.

If you have not yet either completed the SLAC invitation process described below or set up a SLAC Windows account, action is required to regain access to the DESC space on SLAC Confluence. Read on to obtain information about how to proceed.

FAQ

Please see this FAQ which attempts to cover common questions.

Types of Accounts to Access SLAC Resources

Most DESC members had an "External SLAC Crowd Account", which allowed you to authenticate to access SLAC Confluence and PubDB. These accounts do not grant access to SLAC computing resources.

DESC members that are associated with other projects, including Rubin Operations, USDF, commissioning, the LSST camera team, etc, may have a SLAC Unix account and/or a SLAC Windows Single Sign On (SSO) account.

If you have a SLAC Unix and/or Windows account, please see this page for SLAC Computing Accounts.

External SLAC Crowd Accounts

"External SLAC Crowd Account" users will be transitioning to use federated login, meaning you will be using credentials you have with your home institution, or another institution that has granted you credentials already.

All DESC members with External SLAC Crowd Accounts should have received an invitation email from SLAC IT which will walk you through the process of registering for federated login and link your identity at SLAC with your credentials at another institution. This email will guide you through a series of web forms to register with the new SLAC Identity Portal and associate your SLAC Crowd identity with an institutional federated identity that you have credentials to use. This could be your home institution or another institution where you have an account.

To reduce the chances of missing this email, please do the following:

• Whitelist the domain slac.stanford.edu in your email application
• Search for email with the subject: "Action needed to continue accessing SLAC resources"
• If you did not receive or cannot find this email from SLAC IT or communication from DESC Operations Management by Monday, October 28, 2024, and know that you do not have a SLAC Computing account (see below), please reach out on Slack #desc-help or send email to [email protected].

Once you receive the email invitation, please follow the instructions carefully. If at any time you have questions, reach out on #desc-help or via email to [email protected].

Detailed Instructions for handling the SLAC Invitation email

Step 1

Is a test to see if you have access to an "identity provider" which is acceptable to SLAC. If you have a SLAC Computing account, you would use SLAC as your Identity Provider. Most DESC members do not have a SLAC Computing account, they have external SLAC Crowd accounts and would not use SLAC as their identity provider. Without a SLAC Computing account, you should find an institution where you have an account. See the textbox at the bottom of the page where it says "Enter Identity Provider Here". This institution will most likely be your home institution, but it could be another institution that you are associated with.

Please note, it is very tedious to work with the drop-down menu of identity providers. Try using the text search if possible.

• If you cannot find your institution, you will be directed to Step 3. Please also inform DESC by sending email to [email protected] or on Slack #desc-help.
• If you find your institution, select it, and try to log in with your institutional credentials. Use you institution username.
  • If your login is successful, you will see a "Congratulations!" message on the web form.
    • Click the Continue button
  • If your SLAC-recognized federated institution does not provide the required set of attributes required to authenticate with SLAC, you will see an error message, following by an example email to send to your institution's IT department.

While we believe the improved error handling in the SLAC IT invitation process will help identify all error conditions, it is possible there will be other problems completing the invitation process that we have not yet accounted for. If your institution appears in the list of identity providers and you are able to log in with your credentials, but encounter an error during Step 1 and/or Step 2, please reach out on Slack #desc-help or [email protected], provide the full error message, and do not proceed to Step 3 It is possible the problem is due to your federated institution's identity provider - see here.

If you do not receive an error when logging into your SLAC-recognized federated institution and you click Continue: an email from the SLAC Identity Portal will be sent to you with the subject: Invitation to join SLAC Identity Portal

This is the beginning of the second part of Step 1, where you register with the SLAC Identity Portal

The email with Subject: **Invitation to join SLAC Identity Portal" will include a web link that you should click to open another web form

Please note - this link expires when it is clicked, you can only visit this link once.

You must complete all of the following steps, through clicking the "Submit" button. Otherwise, the process is aborted and we have to ask SLAC IT to reset your SLAC Identity Portal registration.

• click Accept, then continue and agree to the SLAC "Terms and Conditions" by doing the following:
  • Click "Review Terms and Conditions"
  • Click "I Agree"
  • Click "Submit"

When you have completed this step successfully you should see (if you do not see this screen, something has gone wrong):

Once you click Submit and see the "Thank you for accepting the invitation" message, you will receive another email from the SLAC Registry Service confirming your initial registration has been completed and you will be told to complete Step 2 (rename).

Step 2 Rename Confluence/Jira Username to Federated Username

The instructions for Step 2, are in the very first email you received, the SLAC Invitation with the subject: "Action needed to continue accessing SLAC resources"

If you were successful in logging into your institution using your credentials in Step 1 OR have a SLAC Windows, you will move on to Step 2 which is another link to a web form. This web form will rename your SLAC Confluence username to match the username associated with whatever credentials you used to successfully perform the federated login you completed in Step 1 OR to your SLAC Windows username.

This step requires that you know your external SLAC Crowd account username and password. If you do not know your externals SLAC Crowd username, please check this spreadsheet. If you need to reset your SLAC Crowd password, please send an email to [email protected].

If you see the error message: You have not yet registered with the SLAC Identity Portal., please go back to Step 1 and make sure you complete both parts of that step. There are two web links to follow and complete in Step 1.

When you click the web link for Step 2, you will open a web form.

• Check to see if your federated institution username appears to the right of "Your New Username" or if you see "Login to an Identity Provider"
  • If you see "Login to an Identity Provider", click it and log into your federated institution using the same username and password you used for Step 1.
• To the right of "SLAC Confluence/Jira Existing Password" you should see your old SLAC external Crowd/Confluence username, if not, type it in
• Next Provide your password associated with your old SLAC external Crowd/Confluence username, this should be the last time you will need this account. If you have forgotten your old external SLAC Crowd/Confluence username or password, please email [email protected] and [email protected].
• Click "Change Username" at the bottom of the form.
• Please wait one full minute for the rename process to complete

If you get to this point - you are done! No need to move on to Steps 3 or 4.

You have registered you institutional credentials with SLAC and from now on, you will be using those credentials to log into SLAC Confluence and PubDB. See these instructions that explain how you will be logging into SLAC web applications from now on.

Step 3 Non-Federated Registration - Only move on to this step if you were unable to successfully complete Steps 1 and 2.

This process is changing. The new procedure should be available the week of April 21, 2025. Please reach out to [email protected] with any questions.

If you were not able to find a federated login that is acceptable to SLAC, you will need to register for a SLAC Computing account. There will be a web link in the first email you received that is used to initiate this process.

There is documentation available to help those applying for SLAC Computing accounts.

Once you obtain a new SLAC Computing Account you will need to return to Step 4 to "rename" your old SLAC Confluence/Crowd account to your new SLAC credentials.

Step 4: Rename Confluence/Jira Username to SLAC Username Only Do this if you completed Step 3

Once you have been assigned a SLAC username which would be created in Step 3, click the link under Step 4 in your original SLAC Invitation email to use your Invitation ID to rename your old SLAC Confluence/Jira username to your new SLAC username

When you click the web link for Step 4, you will open a web form.

• Check to see if your new SLAC username appears to the right of "Your New Username" or if you see "Login to an Identity Provider"
  • If you see "Login to an Identity Provider", click it, choose SLAC, and provide you new SLAC account username and password.
• To the right of "SLAC Confluence/Jira Existing Password" you should see your old SLAC external Crowd/Confluence username, if not, type it in
• Next Provide your password associated with your old SLAC external Crowd/Confluence username, this should be the last time you will need this account. If you have forgotten your old external SLAC Crowd/Confluence username or password, please email [email protected] and they will send you a new temporary password.
• Click "Change Username" at the bottom of the form.
• Please wait one full minute for the rename process to complete

Logging into SLAC Confluence using your Federated Identity

If you are a SLAC Computing account holder - please see these instructions instead, otherwise read on.

Once you complete the invitation process, you should test logging into SLAC Confluence and PubDB using your federated identity credentials.

Please be aware that PubDB is updated 6 times a day with the new usernames so that DESC members can log in. Please wait a few hours and then try to log into PubDB.

When you visit a SLAC web application such as the DESC space in SLAC Confluence and click "Log in", you will see a login screen:

Find your institution by using the text box at the bottom where it says "Enter Identity Provider Here", click the institution's name and provide your credentials. You will use the same username and password you would normally use at your institution.

If all is well, you should be logged into SLAC Confluence and see your username displayed in the top right of the screen.