SLAC SSO (Single Sign On) Windows Accounts - LSSTDESC/slac-authentication-transition GitHub Wiki

Managing a SLAC SSO (Single Sign On) Windows account

  • SLAC’s Password Policy indicates that accounts will be deactivated if there are no logins over 60 days.
    • SLAC Unix and SLAC SSO (Windows) accounts are completely separate as are their passwords.
    • Logging into Confluence or PubDB counts as a Windows login.
    • Please log in at least once every 60 days, otherwise you will need to contact SLAC IT to get your account reactivated.
    • An email reminder will be sent with the subject line: "ACTION REQUIRED: Log in to your SLAC account"
  • Annual SLAC CyberSecurity training is required.
    • An email reminder will be sent to you with the subject line: "Cyber Training Coming Due"

Please note that SLAC will use the email they have on record which is not necessarily the same as the email you have stored in the DESC member database. If you have a change of email, it is important to alert SLAC IT Help

What to do if your Windows account is deactivated or Password Needs Reset?

The easiest path is to call SLAC IT Service Desk (650) 926-4357(HELP) open 7a - 6p Pacific Monday through Friday. SLAC IT will re-enable your account and provide you a temporary password over the phone. If you cannot call SLAC IT, please open a ticket with SLAC IT Help by using this web form. You will not be able to login, but can submit the ticket as a guest. In your message, note that you are a LSST DESC member and provide your username. If you are unable to get a response from SLAC IT, please post on Slack #desc-help or send email to [email protected]. DESC Operations will open a ticket for you with SLAC IT to re-activate your account.

If you call the SLAC IT Service Desk, they may require some identification to prove your identity. Some options to prove your identity include:

  • SLAC ID badge or another form of picture ID
    • You can request to schedule a Zoom with SLAC IT to show them your identification, rather than sending an image of your document.
  • Stanford email
  • Listed non-SLAC email listed in peoplesoft portal
    • This email is not necessarily the same as the email stored in the DESC membership database
  • DUO Push
    • this is the two-factor authentication application SLAC uses and should have been set up when you created your SLAC Windows SSO account Details, including the phone number you can call is on this page: "Unlocking your SLAC account"

If handling the SLAC Windows account reactivation via a ticket, once SLAC agrees to re-enable your account:

  • SLAC IT will send you a "secure email" which is a bit tricky to handle. When sent outside of SLAC the message is encrypted and sent as an attachment. "The recipient must open the message and enter the password that they created when they registered their email address with the Proofpoint Encryption Service." Details here.
    • This password to read the email has nothing to do with your SLAC Windows or Unix account, it is strictly a password used to read these "secure email" messages from SLAC.
    • You will know the message is a "secure email" if you see "Secure" in the subject line.
    • The temporary password provided is valid until 5am Pacific the morning after it is sent. If you are unable to log into your SLAC Windows SSO account in that time, we will have to ask SLAC IT to re-enable your Windows account and send a new temporary password.

Setting up a Second Factor Device in Duo

To set up your YubiKey for FIDO2/Webauthn or Duo Mobile app in SLAC Duo, browse to any website that requires SLAC single sign-on, for example SLAC Confluence. If you are adding a new device and have previously selected "Remember Me" in your browser, then you will need to clear your cookies for the DUO site or start in incognito/private window to be sure that you are presented with the Duo UI.

Setting up your First Device in Duo Self Service Portal (Webauthn/Duo Mobile)

If you do not have an existing device for SLAC Duo, you will be presented with a series of pages introducing Duo and its importance to safe computing. You can review and continue through these pages. When these are complete, you will be asked to choose which type of second-factor device to enroll

Setting up Duo Mobile in Duo Self Service Portal

After navigation through Duo to the UI to add a device, you will then be presented with a dialog to choose a multi-factor device to enroll, select "Duo Mobile"

You will then be prompted to send a link to your phone to download the Duo Mobile application. If you select "I have a tablet," you will receive a dialog message instead of a text message to a phone.

Once you proceed, you will be given a QR code to complete your account configuration.

To complete the setup, you will be asked to respond to a push notification.

Setting up an Additional Device in Duo Self Service Portal (Webauthn/Duo Mobile)

Step 1) Visit the SLAC Confluence using an incognito/private window

Step 2) You can access the Duo Self-Service Portal by selecting "Other options" in the dialog if Duo has already remembered a second factor preference for you. Select the "Manage Devices" option that appears at the end of the list of your registered devices. You will be asked to verify your authentication with a strong MFA option before proceeding.

Step 3) You will be presented with a portal to manage your devices. Select the tile to add a new multifactor device.