コンテンツにスキップ

2. Getting Stated and Access Management Server

2.1. Get a TSUBAME account

A TSUBAME account is required to use Open OnDemand.

If you do not have an account, please apply for one here.

2.2. TSUBAME password setting in TSUBAME Portal

Before using Open OnDemand, please set your TSUBAME password on TSUBAME Portal.

Please refer to here for TSUBAME password setting on TSUBAME portal.

2.3. Login to Access Management Server

Using Access Management Server, you can select login method to TSUBAME Open OnDemand, registre or management security devices to login. TSUBAME 4.0 uses Keycloak as Access Management Server.

When you login to Access Management Sever, access below using Web browser.

https://oodm.t4.gsic.titech.ac.jp/realms/ondemand/account/

At first time login, or when you remove all registered security devices, you need to use "TSUBAME username/password/E-mail" authentication.

Press "Sign in" at top right on the dashboard,

Input TSUBAME username and TSUBAME password and press "Sign In" respectively.

An e-mail with an access code will be sent to your e-mail address registered on the TSUBAME Portal.

Copy the number in the Access code, paste it into the space below, and press Submit.

Info

After a certain period of time, the access code will become invalid. In this case, press "resend code" to reissue the access code.

After successful login, the dashboard will appear.

Info

Note that the right and left menus on the dashboard are not available. The link works but you cannot update anything in it.

2.4. Security device registration to Access Management Server

Using Access Administrator Server, you can register one or more security devices to login Open OnDemand. In case of theft or loss, or you may use different types of terminals depends on cases, we reccomend to register multiple security devices.

The security device does not have to be the same as the terminal where TSUBAME is used; you can combine a PC/Mac and a smartphone, or use the security device on the PC/Mac to complete the process within the same terminal. Please use the system according to your environmental conditions and ease of use.

Info

TSUBAME uses only Sercirty keys. Authentication applications are not availalbe on TSUBAME.

2.4.1 Secuirty device registration (in every case){ #regist_security_device }

To register a security device, press "Signing in" at Acount Security.

Keycloak can handle two types of Two-factor authentication; Authentication application and Security key.

Authentication application: Google Authenticator, Microsoft Authenticator, FreeOTP

Security key: Windows Hello, Apple Keychain Access, Google Authenticator (Android). Fingerprint or facial recognition deivce/feature must be equipped.

Info

Two-factor authentication with a security key cannot be realized on a desktop PC alone that is not equipped with fingerprint recognition and a camera. A typical notebook PC is equipped with a camera for web conferencing, so a stand-alone notebook PC can log in with a security key.

From the next step, the procedure varies depending on the type of security device you are registering. Please proceed to the section for your security device.

Warnning

When a user name is specified at login on Access Management Server, a list of registered security devices is displayed. This means that if the user name is known, the list of security devices registered by that user before authentication can be referenced by a third party (a limitation due to the current Keycloak specification). Without the linkage of registered security devices, the actual authentication will not succeed, but other information may be analogized from the number, type, and name of devices in use. When registering security devices, please be careful to avoid using label names that can identify personal information or affiliations. In particular, do not use label names that include user IDs, passwords, PIN codes, or PIN numbers (even those for systems other than TSUBAME are prohibited).

2.4.2. Chrome/Google password manager (Windows)

Press the button to the right of Security key and click “set up Secuirty key”.

Press "Register".

Security key dialog to login Access Management Server is displayed, press "Save".

Press "x" and close "Saved passkey" dialog,

Input any label.

If the label is registered with the label name specified in the Security key, the process is complete.

2.4.3. Keychain access (Mac)

Press the button to the right of Security key and click “Set up Secuirty key”.

Press "Register".

The Touch ID enrollment dialog will appear, process Touch ID.

Input any label.

If the label is registered with the label name specified in the Security key, the process is complete.

2.4.4 Keychain Access (iOS)

Info

Make sure that a password application (Keychain) is pre-installed on the device to be registered.

Press the button to the right of Security key and click “Set up Secuirty key”.

Press "Register".

A dialog box for setting the security key to log in to the access control server will appear, and press “Save in another way”.

In the list of security devices to register, select “Use a smartphone, tablet, or security key”.

When the QR code appears, read it with the camera of the device to be registered.

The following message will be displayed, and proceed.

You will be asked if you want to register a passkey on the device you are registering, so register it in the Passkey Manager [Fingerprint (TouchID) or FaceID] on the device.

Then return to the web browser and enter an easy-to-understand arbitrary label, such as the name of the registered device.

If the label is registered with the label name specified in the Security key, the process is complete.

2.4.5 Google Authenticator (Android)

Info

Please make sure that Google Authenticator is installed on the device to be registered. iOS cannot use Google Authenticator as a security key.

Press the button to the right of Security key and click “set up Secuirty key”.

Press "Register".

A dialog box for setting the security key to log in to the access control server will appear, and press “Save in another way”.

When the QR code appears, read it with the camera of the device to be registered.

In Google Authenticator on your Android device, press + to “Scan QR Code” or use the device's camera to read the QR code as is.

The following message will be displayed and continue with the deivce.

"Use passkey continue" is displayed in Google Authenticator, press "continue".

And "Create passkey continune" is displayed, press "continue".

Enter PIN code or perform fingerprint authentication.

Then return to the web browser and enter an easy-to-understand arbitrary label, such as the name of the registered device.

If the label is registered with the label name specified in the Security key, the process is complete.

2.5. When unable to login to Access Control Server

If you are unable to log in to Access Control Server due to a malfunction or loss of the security device or due to an inconsistency in the linkage, please log in using the TSUBAME user, password, and email authentication.

Access the following URL with a web browser. 

https://oodm.t4.gsic.titech.ac.jp/realms/ondemand/account/

Click "Try Another Way".

Click "Username and password".

Input TSUBAME username, password, then press "Sign in".

Ipunt access code from email, press "Submit".

After logging in to the dashboard, check the security key registered from Signing in, and follow the procedure described in the next section to delete the defective device registration (#device_removal). If multiple devices are registered and the cause of the problem cannot be identified, delete all devices and then re-register them](#device_registration).

2.6. Remove Security devices

From the list of Security keys, press “Remove” on the far right of the security device you wish to remove.

A confirmation dialog box will appear, press "Continue".

If the corresponding device does not appear in the list of security keys, it has been successfully deleted.