Authentik

Authentik / GRIT Single Sign On

GRIT is rolling out Single Sign On (SSO) via Authentik to as many resources as possible in order to reduce the burden of passwords and multi-factor authentication (MFA). When signing in to a service with SSO you will initially be prompted to sign in with your grit credentials as show below:

After entering your GRIT username enter your GRIT password:

After successfully entering your password, on your first login (and only the first login) you will be prompted to setup an MFA method. You will be offered 2 choices, TOTP or WebAuthn device as shown below:

Multi-Factor Authentication Options

The two offered options are explained in further detail below

TOTP:

TOTP stands for Time-based one-time password and is usually a 6-8 digit number that resets every 60 to 90 seconds. This method is supported by many browser plugins and mobile phone applications and is the most common. The Campus DUO application offers a TOTP option making it a handy choice to keep your work MFA in one place. To setup DUO with Authentik TOTP select the TOTP device option and open the DUO application on your phone:

WebAuthn device:

WebAuthn devices are generally hardware tokens that can take many forms. Lots of modern cellphone and laptops offer biometric (face ID or fingerprint scanner) that can be used as WebAuthn devices, there are also many popular dedicated hardware tokens with Yubikey being the most popular. 

Authentik Dashboard:

Once you have completed your initial setup you will be forwarded to the Authentik dashboard, from here you can pick from the available SSO available services, or go directly to the web address of the service you are trying to log into. For future logins to SSO services you will only be prompted once per week to re-authenticate, after that you can access the services without additional authentication.