Single Sign On

From Wikitech
This page is a draft and will be updated as the process for requesting and using YubiKeys will be improved in FY2021-2022.


Wikimedia Production Web UIs use Single Sign On (SSO) (via Apereo CAS) for user authentication. The SSO portal is hosted at https://idp.wikimedia.org/login.

Wikimedia Developer Single Sign-On Portal

This page will help you understand what you need to know to log in (AKA authenticate) and use these UIs.

More detailed documentation can be found at CAS-SSO.

What you need

To log in, you'll need

Usually, membership in either the wmf or nda LDAP group will suffice to authorize you to access most UIs. To request membership in an LDAP group, open a Phabricator ticket with the LDAP-Access-Requests tag and specify your Developer Account username and which LDAP group you'd like to be in.

Enabling 2FA using a YubiKey

WMF is slowly in the process of securing the SSO login process using 2FA. As of 2021-06, our only supported form of 2FA is with a hardware device using Universal 2nd Factor (U2F). WMF ITS will issue YubiKeys for this purpose.

Getting a YubiKey
  1. Figure out which YubiKey product is right for you.
  2. Email ITS at techsupport@wikimedia.org and ask them to send you a YubiKey, linking the product you'd like.
  3. ITS will purchase and ship you a YubiKey.
Using your YubiKey
  1. Open a Phabricator ticket with the LDAP-Access-Requests tag to ask SRE to enable YubiKey authentication.
  2. Once done
    1. Insert your YubiKey into your computer's USB port.
    2. logout of SSO (if you are already logged in)
    3. log back in. You will be prompted to enable authentication with your YubiKey.

From here on out, whenever you authenticate to the SSO portal you will be prompted to authenticate with your YubiKey after entering your username and password.

What sites are SSO enabled?

As of 2021-06: