This site requires JavaScript to be enabled

Notifications

40 views

Intended for:

DocDB users after single sign-on (including Fermilab Services account) access is enabled on their DocDB


Scenario/Use case:

This article provides instructions for using DocDB after single sign-on (including Fermilab Services account) access is enabled.


Instructions:

DocDB instances can have four versions so they can be accessed by the following four access methods: public (no authentication needed), private (DocDB-specific username/password), certificate (CILogon, CERN, OSG) or single sign-on (including Fermilab Services account). Users can pick an authentication method from their DocDB homepage, which will have a URL similar to https://xyz-docdb.fnal.gov/ and look similar to:

1. Instructions for users who do not want to switch to single sign-on

If you use the public or private (DocDB password) version of DocDB or you use the certificate version with a CERN, OSG or non-Fermilab CILogon certificate, you can continue using those versions as before. No changes or actions are required, unless you wish to switch to using single sign-on.

However, users with Fermilab CILogon certificates cannot opt out of using the SSO version of DocDB and will be automatically redirected to the SSO login page. Once at the SSO login page, they can choose whether to use their Services account username and password or their Fermilab CILogon certificate to gain access.

Using single sign-on has the advantages that you do not have to remember a DocDB-specific password or get/renew a certificate, and you can be a member of multiple groups.

NOTE: CERN, OSG or non-Fermilab CILogon certificate DocDB users: If your certificates expires, is removed or otherwise becomes invalid, you will automatically be redirected to the SSO version of your DocDB. As soon as you renew and load a valid CERN, OSG or non-Fermilab CILogon certificate in your browser, the redirect will stop, and you can continue to use the certificate version of DocDB as you have in the past.

2. Instructions for users who want to switch to single sign-on

You need to have a Fermilab Services account in order to use single sign-on authentication to access a Fermilab-hosted DocDB. Once you have a Fermilab Services account, you can go directly to the single sign-on (SSO) version of your DocDB (if SSO is enabled for your DocDB) by going to your DocDB's homepage (similar to http://xyz-docb.fnal.gov/) and clicking on the "Single Sign-On" link or by following an email or webpage link to the single sign-on version of your DocDB. The SSO version of each DocDB has a URL similar to https://xyz-docdb.fnal.gov/cgi-bin/sso/...

2.1 If you are a private DocDB user:

By default, when you first use single sign-on to access DocDB, you are not a member of any DocDB groups and can view only public documents (unless your DocDB administrator has pre-arranged one or more groups for you).

When you log in to a private DocDB, you are actually logging in as a member of a single DocDB group. When you log in using your single sign-on account, you’ll want to be a member of that same DocDB group so you can access the same documents. You need to apply for your DocDB SSO account to be a member of that same DocDB group if you are not already listed as a member of that group. To check which groups you are a member of and to be added to more groups, follow the instructions under “Checking and adding DocDB groups in the single sign-on version of DocDB” near the bottom of this page.

Besides going directly to the SSO version of your DocDB via the "Single Sign-On" link on your DocDB homepage, you can change a private DocDB URL to an SSO DocDB URL by just changing “private” to “sso”. Below is an example of private and SSO DocDB URLs for the same page:
Private DocDB URL: https://xyz-docdb.fnal.gov/cgi-bin/private/ShowDocument?docid=1234
SSO DocDB URL:     https://xyz-docdb.fnal.gov/cgi-bin/sso/ShowDocument?docid=1234

2.2 If you have a Fermilab CILogon certificate DocDB account:

You will automatically be redirected from the certificate version to the SSO version of your DocDB. The certificate version of each DocDB has a URL similar to https://xyz-docdbcert.fnal.gov/cgi-bin/cert/... 

Your certificate account permissions and settings will automatically be transferred to your SSO DocDB account so you can continue to use the SSO version in the same way as you used the certificate version (including signing documents) without having to apply for access or take any other steps.

2.3 If you have a CERN, OSG or non-Fermilab CILogon certificate DocDB account

Follow these instructions for each DocDB you use: Request a transfer from a certificate account to a Single Sign-On (Fermilab Services) account

This will transfer all your certificate DocDB permissions and settings to your SSO DocDB account. After the transfer, you should use the SSO version of your DocDB going forward. If you used your certificate DocDB to sign documents before, you will need to use your SSO DocDB to sign documents after the transfer.

If you want the certificate version of your DocDB to automatically redirect to the SSO version, you can make this happen by removing the certificate from your browser. When the certificate version of DocDB does not receive a certificate or receives an invalid or expired certificate, it automatically redirects to the SSO version.

2.4 Checking and adding DocDB groups in the single sign-on version of DocDB:

Besides having permissions transferred from a certificate, SSO DocDB users will automatically receive permissions for any Services groups they are members of that their DocDB administrators have associated with groups within their DocDB. For example, for the Computing DocDB, users who are in the Services group "CS Employees" will automatically have permissions from the "cdweb" group in CS DocDB.

To check which DocDB groups you are a member of:

  1. Go to the SSO landing page for your DocDB
    (URL similar to https://xyz-docdb.fnal.gov/cgi-bin/sso/DocumentDatabase)
  2. Click on the "Your Account" button in the navigation box on the left.
  3. On the "Your Account" page, the DocDB groups you are a member of are listed under the heading "Member of Groups". This includes groups from any DocDB account transfer, groups associated with your Services account and groups assigned specifically within DocDB.

   

 

To apply to be added to more DocDB groups than you have been automatically granted:

  1. Go to the SSO DocDB landing page for your DocDB
    (URL similar to https://xyz-docdb.fnal.gov/cgi-bin/sso/DocumentDatabase)
  2. Click on the "Apply to Groups" button in the navigation box on the left.
  3. On the groups application page, select the groups to be added.
  4. In the "Notes" field, type a note identifying yourself and/or explaining why you need to be added to the selected group(s).
  5. Click the "Apply for access" button.
  6. Your request will be emailed to your DocDB's administrators. You will receive an email after they've approved your request, or they will contact you if they have questions or your request cannot be granted.