2. Getting Stated and Access Management Server¶

2.1. Get a TSUBAME account¶

A TSUBAME account is required to use Open OnDemand.

If you do not have an account, please apply for one here.

2.2. TSUBAME password setting in TSUBAME Portal¶

Before using Open OnDemand, please set your TSUBAME password on TSUBAME Portal.

Please refer to here for TSUBAME password setting on TSUBAME portal.

2.3. Login to Access Management Server¶

Using Access Management Server, you can select login method to TSUBAME Open OnDemand, registre or management security devices to login. TSUBAME 4.0 uses Keycloak as Access Management Server.

When you login to Access Management Sever, access below using Web browser.

https://oodm.t4.gsic.titech.ac.jp/realms/ondemand/account/

At first time login, or when you remove all registered security devices, you need to use "TSUBAME username/password/E-mail" authentication.

Input TSUBAME login name and press "Sign In".

Input TSUBAME password and press "Sign In".

An e-mail with an access code will be sent to your e-mail address registered on the TSUBAME Portal.

Copy the number in the Access code, paste it into the space below, and press Submit.

Info

After a certain period of time, the access code will become invalid. In this case, press "resendCode" to reissue the access code.

After successful login, the dashboard will appear.
In TSUBAME4, it is used only under "Account Security".

2.4. Security device registration to Access Management Server¶

Using Access Administrator Server, you can register one or more security devices to login Open OnDemand. In case of theft or loss, or you may use different types of terminals depends on cases, we reccomend to register multiple security devices.

The security device does not have to be the same as the terminal where TSUBAME is used; you can combine a PC/Mac and a smartphone, or use the security device on the PC/Mac to complete the process within the same terminal. Please use the system according to your environmental conditions and ease of use.

Info

The procedures and screenshots presented in this manual may vary depending on your OS, application version, device, browser settings, and other factors.
If the screenshots do not match the manual, please make your own judgment accordingly.

2.4.1 Secuirty device registration (in every case)¶

To register a security device, press "Signing in" at Acount Security.

Keycloak can handle two types of Two-factor authentication; Authentication application and Passkey.

Warnning

When a user name is specified at login on Access Management Server, a list of registered security devices is displayed. This means that if the user name is known, the list of security devices registered by that user before authentication can be referenced by a third party (a limitation due to the current Keycloak specification). Without the linkage of registered security devices, the actual authentication will not succeed, but other information may be analogized from the number, type, and name of devices in use. When registering security devices, please be careful to avoid using label names that can identify personal information or affiliations. In particular, do not use label names that include user IDs, passwords, PIN codes, or PIN numbers (even those for systems other than TSUBAME are prohibited).

Click "Set up Passkey".

Click "Register".

Click the button outlined in red.

From the next step, the procedure varies depending on the type of security device you are registering. Please proceed to the section for your security device.

Chrome/Google password manager (Windows)
Keychain access (Mac)
Keychain Access (iOS)
Google Authenticator (Android)

2.4.2. Chrome/Google password manager (Windows)¶

Info

It is assumed that you are using Google Chrome and are logged in to the Google account to be linked.

Click "This Windows device".

You will be authenticated using the authentication method set up on your Windows device. (This screen shows PIN authentication.)

Input any label.

Info

Do not include personal information or information that identifies your affiliation in the label name. (User IDs, passwords, PIN codes, PIN numbers, etc., including those used in systems other than TSUBAME.)

If the label is registered with the label name specified in the Security key, the process is complete.

2.4.3. Keychain access (Mac)¶

Click the button outlined in red(iCloud keychain).

The Touch ID enrollment dialog will appear, process Touch ID.

Input any label.

Info

Do not include personal information or information that identifies your affiliation in the label name. (User IDs, passwords, PIN codes, PIN numbers, etc., including those used in systems other than TSUBAME.)

If the label is registered with the label name specified in the Security key, the process is complete.

2.4.4 Keychain Access (iOS)¶

Info

Make sure that a password application (Keychain) is pre-installed on the device to be registered.

Windows : Click "iPhone, iPad, or Android device".
mac : Click the button outlined in red(smartphone etc..).

When the QR code appears, read it with the camera of the device to be registered.

Follow the instructions in the application to complete the setup.
Then return to your web browser and enter a descriptive label of your choice, such as the registered device name. 　

Info

Do not include personal information or information that identifies your affiliation in the label name. (User IDs, passwords, PIN codes, PIN numbers, etc., including those used in systems other than TSUBAME.)

If the label is registered with the label name specified in the Security key, the process is complete.

2.4.5 Google Authenticator (Android)¶

Info

Please make sure that Google Authenticator is installed on the device to be registered. iOS cannot use Google Authenticator as a security key.

Windows : Click "iPhone, iPad, or Android device".
mac : Click the button outlined in red(smartphone etc..).

When the QR code appears, read it with the camera of the device to be registered.

In Google Authenticator on your Android device, press + to “Scan QR Code” or use the device's camera to read the QR code as is.

Info

On some devices, QR codes do not seem to be recognized correctly when scanned with the camera application.
Please scan the QR code from Google Authenticator.

Follow the instructions in the application to complete the setup.
Then return to your web browser and enter a descriptive label of your choice, such as the registered device name. 　

Info

Do not include personal information or information that identifies your affiliation in the label name. (User IDs, passwords, PIN codes, PIN numbers, etc., including those used in systems other than TSUBAME.)

If the label is registered with the label name specified in the Security key, the process is complete.

2.5. When unable to login to Access Control Server¶

If you are unable to log in to Access Control Server due to a malfunction or loss of the security device or due to an inconsistency in the linkage, please log in using the TSUBAME user, password, and email authentication.

https://oodm.t4.gsic.titech.ac.jp/realms/ondemand/account

Click "Try another way".

Follow the instructions in Login to Access Management Server to log in.

2.6. Remove Security devices¶

From the list of Passkeys, press “Remove” on the far right of the security device you wish to remove.

A confirmation dialog box will appear, press "Confirm deletaion".

If the corresponding device does not appear in the list of Passkeys, it has been successfully deleted.