FAQ - LSSTDESC/slac-authentication-transition GitHub Wiki
Why is SLAC implementing this change in authentication?
To bring SLAC in alignment with the Department of Energy’s Zero Trust Architecture initiative, SLAC is expediting efforts to augment the security of its Confluence, Jira, and other research-specific applications.
When will we be required to use federated login at SLAC?
Starting at 6a Pacific, Monday, November 4, 2024.
What if I do not have a SLAC-recognized federated identity?
In this case, you will be directed to apply for a SLAC Computing Account (Step 3 in the SLAC invitation email). In the near future, SLAC IT plans to provide an IDentity Provider (IDP) of Last Resort, which should make it much easier for DESC members to sign up to access SLAC Confluence and PubDB.
Can I use my NERSC credentials to do federated login at SLAC?
No, NERSC credentials are not an acceptable federated identity.
I have credentials from more than one institution, can I use any of them to do federated login at SLAC?
If you have SLAC credentials (a SLAC Windows Single Sign On account), you need to use those to do SLAC federated login. SLAC will only allow you to register one set of credentials. If you do not have SLAC credentials you can register any SLAC-recognized federated identity you have access to. Once you register those credentials with SLAC during this transition, you will need to continue using those same credentials any time you need to authenticate to for SLAC Confluence and/or PubDB.
What if I change institutions and I lose the credentials I registered with SLAC for federated login?
SLAC IT is developing a procedure to manage updating your credentials for SLAC federated login. More information will be made available as soon as possible.
My institution is interested in becoming federated, what should I do?
SLAC is not in a position to guide you through the process of registering your institution, but we invite you to refer to the Research and Education FEDerations (REFEDS) website which lists the Federation contacts for many jurisdictions around the world.
I have a SLAC Unix account - why can't I just use that, why do I need a SLAC Windows Single Sign On (SSO) Account?
While most DESC members currently have "external SLAC Crowd accounts" and are transitioning to use federated identity authentication to log into SLAC web applications, some DESC members have SLAC Unix accounts. If you do not know if you have a SLAC Unix account, then you probably do not.
For those of you who have SLAC Unix accounts: SLAC is in transition. The SLAC Unix and Windows accounts are completely separate. SLAC Unix accounts will ultimately be removed and those of us with authorization to use SLAC computing resources will use the SLAC (Windows) SSO accounts to access all SLAC resources. One of the steps to that end includes this transition to require SLAC Windows SSO accounts to access SLAC web applications like SLAC Confluence and PubDB.
Anything I can do to help with during this transition?
Thanks for asking! There are a number of things you can do:
- If you have successfully navigated the process of either registering your federated identity, please consider reaching out to local colleagues at your institution to see if they need any help.
- If you see some common failure modes or find that your particular institution is not "federated", please list all the DESC members at your site that are impacted and reach out on Slack #desc-help or via email to [email protected].