This site requires JavaScript to be enabled


DocDB: Accessing DocDB with Federated ID Single Sign-On (SSO)

Intended for:

Users who want to access a Fermilab-hosted DocDB using Single Sign-On (SSO) and have an external federated ID from an outside organization approved by Fermilab (see for the current list of registered external ID providers).

Note to CERN users: this method will only work with full CERN accounts. Lightweight CERN accounts cannot be used.

Scenario/Use case:

A user wants to access a Fermilab-hosted DocDB through Single Sign-On (SSO) using an external federated ID.



External Federation at Fermilab

Using your external federated ID to access DocDB

External Federation at Fermilab

For information on using external identities to access Fermilab web services, see There you can find:

It is recommended that you go to prior to using your external federated ID for any Fermilab applications. If the information associated with your ID is incorrect, or if you have used your external ID on a Fermilab application in error, please contact

Using your external federated ID to access DocDB

  1. Go to your DocDB’s homepage ( to choose an access method or use an SSO direct URL given to you (via email, web page, etc.) The SSO direct URL is typically of one of these forms:

    (Replace XYZ with your DocDB’s name. For example, for CD DocDB, the URL would be or DUNE DocDB uses as the base URL.)

    If you go to your DocDB’s homepage, choose Single Sign-On.

  2. You will be brought to a page where you can choose how you want to authenticate from the drop-down menu. ‘Services Username and Password’ uses your Fermilab Services account. More federated ID options may be added in the future. Select the option you would like to use (e.g. for CERN computing account, this is ‘External - CERN’). Read the ‘Notice to Users’ and then click ‘Continue’.

    (Note that if you scroll past the ‘Notice to Users’, you'll see an ‘External Users’ section. The link ‘Start Here’ leads to the Fermilab External Federation page

  3. If you clicked ‘Continue’ in the previous step, you will be brought to your federated ID provider’s login page. Log in as you normally would. Below is an example of CERN’s federated ID login page.

  4. After you have signed in and clicked through any confirmation pages specific to your institution, you will either be brought to your DocDB’s main page or to the direct URL you first clicked.

  5. Some DocDBs have mapped groups, which means that your federated ID account may have automatic access to documents visible to certain DocDB groups. If you sign in with your federated ID and do not have access to the documents you need, you may need to apply to access groups. If you do not have the needed access permissions for a document, you will get an error such as:

    To address this, go to your DocDB’s main page (, click ‘Apply to Groups’ in the grey menu on the left, or go to (replacing XYZ with your DocDB’s name).

  6. Choose the groups you need access to from the list and click ‘Apply for access’. Including a brief note about who you are and why you need access to the chosen groups may help expedite the request.

    The DocDB instance administrators will receive your request and add you to the appropriate groups. You will get an email when that is done and then you will be able to access documents visible to those groups. (Check your junk/spam mail folder if you think you might have been added but have not seen the confirmation email yet.)

    If you have any questions or problems not addressed by these instructions, please open a ticket by emailing