Authentication

No role

JHaaS allows a course participant to execute arbitrary code in a Jupyter notebook. Therefore, a high level of security is required for the authentication process. A concrete action for this is the enforced use of a second factor. TOTP (Time-based One-time Password) apps or WebAuthn devices can be used for this purpose.

Registration

Note: Registration may not be neccassary when your JHaaS provider has configured authentik to use your institutional authentication provider. In this case, either a button for single sign on should be present (when OIDC is configured) or you may use your institutional credentials (when LDAP is configured). Nevertheless, the setup of a second factor may apply.

To start the registration process, follow the Login button on the top right in the JHaaS portal to open the authentik interface. Click on Sign up and read the terms of service. You must accept these terms of service in order to use JHaaS.

After you have entered and submitted your information, a verification link will be sent to you via email. Follow this verification link to activate your account and to setup your second factor.

Before you setup your TOTP app or your WebAuthn as second factor, authentik will generate recovery tokens for you. It is important to keep these tokens in a safe place, in case you loose your second factor. Beware that each of these tokens can be only used once. If you do login via these tokens, remember to regenerate a new set of tokens so you do not run out of tokens.

After receiving your tokens, you are prompted to setup a second factor. You may choose between TOTP or WebAuthn. Information about TOTP and WebAuthn can be read in the section multi factor authentication. When using TOTP, use your device to scan the prompted QR code, then enter the first TOTP. When using WebAuthn, please make sure your WebAuthn Device is connected and interact with it, when prompted.

You are now registered. You will need your second factor everytime you log in.

Login

How you log in depends on how your JHaaS provider has configured authentik. If your JHaaS provider has configured single sign on, an icon with your identity provider will be shown on the login screen.

Otherwise, LDAP or local accounts are to be used. Whenever you login via LDAP or a local account, you have to authenticate with a second factor such as a TOTP or a WebAuthn device.

Local accounts

Local accounts are stored in authentik and only valid in authentik. You have a local account when you have fullfilled registration. Your Email address and password is used for login.

LDAP accounts

LDAP accounts are managed through your institution. When you are using your LDAP account, no registration is neccessary (or possible). The login is specific for your institution (username, mail, id, ...). LDAP accounts are mirrored in Authentik.

Single sign on

If your institution uses a SSO provider and authentik is configured to use this SSO provider, you can login by clicking on your SSO providers icon and follow the SSO specific login. No registration is is neccessary (or possible).

Password reset

In case you lost your password, you can initiate a password recovery email. This is only possible when using local authentik accounts. In case of LDAP or SSO, please contact your administrator.

When resetting your password of a local account, only a valid second factor may be used (no recovery tokens).

Management

When using local authentik accounts, you may want to change your password or to manage your second factors. To do this, go to Profile Settings by clicking on your name in the top-right corner in the JHaaS Portal. Then click on Open authentik settings. You will be redirected to the authentik profile page.

Multi factor authentication

For multi factor authentication you may use several hard- and/or software:

  • As WebAutn Devices you may use a hardware token like a Yubikey or Solokey.
  • You can even use Windows Hello or Apple FaceID as WebAuthn devices.
  • For TOTP you may use a smartphone, a computer or a hardware TOTP generator.
  • Apple iOS already integrates a TOTP generator in the operating system.
  • On android, you may use for example FreeOTP or Google Authenticator.

Troubleshooting

Things don't always run smoothly. But don't be afraid, we are here to help!

Stuck somewhere in registration proccess

You may get stuck in the registration process, especially when creating or verifying a second factor. In this case, unfortunately, reloading the page or navigating away from and back to the page will not help.

Instead, you need to delete the cookies and saved data from this page. In Firefox, for example, you can do this by clicking the lock icon to the left of the URL bar. Click on it and then click on Clear Cookies and Site data.

After that, reload the page. Depending on where exactly you got stuck, you may start from the beginning of the registration process or by logging in.