By Louis Pelosi |

What is Federated ID and what does it provide?

  • Federated ID is a method by which one can authenticate to various Web pages or services using a single set of credentials (e.g., BNL or CERN accounts). As users of the SDCC, you are already doing this using the SDCC Identity Provider (your Kerberos account(s) and password(s) along with a second factor). Federated IDs however offer the possibility to merge multiple identities and map them into one single user.
  • COmanage registry is the core infrastructure component that will combine multiple Identity providers (IDPs) into a single identity. The end goal will be for users to be able to access protected pages with their CERN account or their SDCC account(s), BNL account, etc… from a list of approved IDPs but appear as the same identity to all SDCC services.
  • This system will also later provide tokens issued at CILogon. Tokens are the new method for Grid and Cloud authentication. In other words, once the registry is in place, we will be able to transition most services to authenticating with tokens instead of Grid Proxies. Please note that this will not affect your “ssh” interactive login but at first, only access to Web / HTTPS-based services (such as Mattermost, Drupal, etc …).

Which services will be affected and which will not?

  • SSH and JupyterHub access will not be affected by this, this feature will eventually encompass many web-based services and others.
  • Currently, the only services that you will see this service effect are Mattermost and Drupal. However, more web services will be added to this list in the future and enrolled people will be notified.

What is the timeline/deadline?

  • Initial user access was provided in March 2023 as of this date the only services that users can manage are log-ins to SDCC-managed Drupal sites and SDCC-managed Mattermost.
  • Users are also able to begin connecting accounts such as SDCC user login and BNL Active Directory login so as if you are authenticated using either, you will be able to access the same services seamlessly.
  • Identity Providers (IDPs) such as CERN, Incommon, and DESY will be added to this list as future updates.

Where can I get general assistance with this service?

Is this something all users need to do to access BNL servers now?

  • This service is currently (03/2023) being used only to group IDPs for use with SDCC-managed Mattermost and Drupal services, all other services are currently unaffected by this change.

Is this so users with computer accounts with different experiments can use the same user id to log in?

  • This service will link all accounts together so that a single account can be used to access the services that will be utilized by it (as of 03/2023 SDCC managed Mattermost and Drupal services.)

Do I need to make a new user id?

  • No, this service is being used to link current IDPs not to create new ones.

Is there a way I can check my unique user id that is being linked to all my accounts?

  • Yes, please refer to comanage.sdcc.bnl.gov and click "My Profile" in the top right corner. This will bring you to a section with information on "Identifiers."

Common Issues

  • "I can't log into my SDCC/BNL Active Directory account"
    • Please contact your respective IDP to reset your credentials, this service is not able to reset your credentials for your IDP.
  • "My account is in 'Pending Confirmation' what do I do?"
    • Please make sure you follow all the steps outlined in our instructional document found here: https://www.sdcc.bnl.gov/information/comanage-setup-new-accounts   
      If you do not follow all the steps you will encounter an error and need to restart this process from the beginning. Be sure to check your emails after completing each step.
  • "What is an incognito/private tab?"