COmanage FAQ

What is Federated ID and what does it provide?

• Federated ID is a method by which one can authenticate to various web pages or services using a single set of credentials (e.g., BNL or CERN accounts). As users of the SCDF, you are already doing this using the SCDF Identity Provider (your Kerberos account(s) and password(s) along with a second factor). Federated IDs offer the possibility to merge multiple identities and map them into one single user.
• COmanage registry is the core infrastructure component that combines multiple Identity Providers (IDPs) into a single identity. The goal is for users to be able to access protected pages with their CERN account, their SCDF account(s), BNL account, etc. from a list of approved IDPs, but appear as the same identity to all SCDF services.
• This system also provides tokens issued by CILogon. Tokens are the current method for Grid and Cloud authentication. With the registry in place, services continue to transition to authenticating with tokens instead of Grid Proxies. Note that this does not affect your SSH interactive login, only access to web/HTTPS services.

Which services are affected?

• COmanage is in place across a broad set of SCDF web services. As more services are integrated, enrolled users will be notified.
• SSH and JupyterHub access are not affected by COmanage.

Where can I get general assistance with this service?

• For account issues (registration, pending confirmations, connecting identities), email RT-RACF-UserAccounts@bnl.gov with the subject line "New COmanage Account" for direct expert assistance.
• For service-level issues (a COmanage-protected service not working), email RT-RACF-Www@bnl.gov.
• Detailed setup instructions: Register for SCDF COmanage
• Connecting additional accounts: Connecting to COmanage

Do I need to use COmanage to access BNL servers?

• COmanage groups your IDPs so that one account can sign you in to any COmanage-protected SCDF web service. Services not protected by COmanage (including SSH and JupyterHub) are unaffected.

Do I need to make a new user id?

• No. COmanage is used to link existing IDPs, not to create new ones.

Will the COmanage registry link all my SCDF accounts into one?

• Yes. All accounts offered as IDPs to log in with can be combined into a single account. See our guide on Connecting to COmanage for details.

Is there a way I can check the unique user id linked to all my accounts?

• Yes. Visit https://comanage.sdcc.bnl.gov/ and click My Profile in the top right corner. The Identifiers section lists the identifiers linked to your account.

Common Issues

• "I can't log into my SCDF/BNL Active Directory account."
  • Contact your IDP to reset your credentials — COmanage cannot reset credentials for your underlying IDP.
• "My account is in 'Pending Confirmation' — what do I do?"
  • Make sure you followed every step in Register for SCDF COmanage. Missing a step causes this error and requires restarting the process. Check your email after completing each step.
• "What is an incognito/private tab?"
  • An incognito (or private) browser tab treats you as "not logged in" during each step of registration. This ensures no session cookie carries over, so you can select the correct account to log in with at each step. See https://www.computerworld.com/article/3356840/how-to-go-incognito-in-chrome-firefox-safari-and-edge.html for more on using this feature.