Single Sign On
This page is a draft and will be updated as the process for requesting and using YubiKeys will be improved in FY2021-2022.
This page will help you understand what you need to know to log in (AKA authenticate) and use these UIs.
More detailed documentation can be found at CAS-SSO.
What you need
To log in, you'll need
- A Wikimedia Developer Account (this creates an LDAP account for you).
- Membership in certain LDAP groups.
Usually, membership in either the
nda LDAP group will suffice to authorize you to access most UIs. To request membership in an LDAP group, open a Phabricator ticket with the LDAP-Access-Requests tag and specify your Developer Account username and which LDAP group you'd like to be in.
Enabling 2FA using a YubiKey
WMF is slowly in the process of securing the SSO login process using 2FA. As of 2021-06, our only supported form of 2FA is with a hardware device using Universal 2nd Factor (U2F). WMF ITS will issue YubiKeys for this purpose.
Getting a YubiKey
- Figure out which YubiKey product is right for you.
- Email ITS at email@example.com and ask them to send you a YubiKey, linking the product you'd like.
- ITS will purchase and ship you a YubiKey.
Using your YubiKey
- Open a Phabricator ticket with the LDAP-Access-Requests tag to ask SRE to enable YubiKey authentication.
- Once done
From here on out, whenever you authenticate to the SSO portal you will be prompted to authenticate with your YubiKey after entering your username and password.
What sites are SSO enabled?
As of 2021-06: