This is a draft of the text which will appear on the page that will be opened when the user selects the "Help" tab on the Touchstone login page. The initial version is based on the text which appears on https://foonalagoona.mit.edu/help.html which has been used during the prototype stage.

What is MIT Touchstone?

The MIT Web application you are using requires you to identify yourself via the MIT Touchstone system. You can do this by providing your Kerberos username and password. It is also possible to authenticate using existing Kerberos tickets under some circumstances. or an MIT user certificate. Once you have authenticated successfully, you will be able to proceed and enter the requested web site. If you don't have an MIT Kerberos account, read "What if I don't have a username?" below.

With MIT Touchstone, your single web login gives you access to many other web sites in addition to the one you initially accessed. In other words, this provides a single sign on solution amonst the Touchstone enabled applications.

Your access to Touchstone-enabled applications should last only until you quit your browser program. Be sure to secure your identity by quitting your browser before you leave your computer. Otherwise, someone else who uses your computer during that browser session can impersonate you on the Touchstone systems - both to the sites that you are using as well as to any of the other web sites that accept MIT Touchstone as an authentication authority.

Why is MIT Touchstone called a pilot?

The MIT Touchstone system is a new service, currently in the pilot phase. This means that we expect the service and features to evolve. We are still gathering feedback and discovering some of the issues required to smoothly operate the service. The scope of this pilot is very broad. Any user at MIT may choose to use the system when using applications such as Stellar and IS&T's wiki system. However, the behavior of those applications is that users will continue to authenticate using certificates and will not be using Touchstone by default.

Assuming all goes well, Touchstone will complete its pilot phase during the summer of 2008 and will be available as a service to a wider variety of MIT web applications at that time.

What am I supposed to do?

On the MIT Touchstone Login page you can identify yourself by one of two three methods:

  • By presenting an MIT X.509 certificate. If you have a certificate accessible to your browser, simply click on the "Use Certificate - Go" button.
  • By entering your MIT Kerberos username and password in their respective fields and click on the Login button. Use the Tab key or your mouse to put the cursor into the entry fields. Your MIT Kerberos name typically consists of the characters prior to "@mit.edu" in your email address. For more information about Kerberos usernames read "How do I know if I have an MIT Kerberos username and password?" below.
  • By using your existing Kerberos tickets, if your browser is properly configured. This choice typically only applies to users of the Athena and WIN.MIT.EDU computer systems, and who have also taken additional steps to configure their environment to support this feature.

How do I know if I have an MIT X.509 Certificate, or how do I obtain one?

http://web.mit.edu/ist/help/cert/http://web.mit.edu/ist/help/cert/--http://web.mit.edu/ist/help/cert/-http://web.mit.edu/ist/help/cert/-http://web.mit.edu/ist/help/cert/http://web.mit.edu/ist/help/cert/-http://web.mit.edu/ist/help/cert/http://web.mit.edu/ist/help/cert/-http://web.mit.edu/ist/help/cert/http://web.mit.edu/ist/help/cert/-http://web.mit.edu/ist/help/cert/http://web.mit.edu/ist/help/cert/-http://web.mit.edu/ist/help/cert/http://web.mit.edu/ist/help/cert/Certificates---- -are your key to most of the secure web applications at MIT which do not yet use MIT Touchstone. Such systems currently include Benefits, Request Tracker, SAPweb, and WebSIS. Certificates are the preferred way to access MIT web servers and applications. The link at the star of this paragraph will take you to the IS&T page that provides lots of information about certificates, including how to obtain one.-

How do I know if I have an MIT Kerberos username and password?

Many MIT computer-based systems and services share the same username/password authentication service, Kerberos. This means a user has to keep track of only one username and password -- the user's MIT Kerberos username and password -- for many systems. If you have an email account at MIT with the form <username>@mit.edu, then you have an MIT Kerberos username, and most likely know its password.  If you are a member of the MIT community, or an affliate, you may need to complete your account registration in order to establish your Kerberos username and password. To do this and for more information regrading Kerberos read IS&T's page about Creating and Using Your MIT Kerberos Identity

How do I know if have Kerberos tickets or can use them?

Although we just mentioned Kerberos as it relates to your username and password at MIT, Kerberos is also a computer network protocol. Online services that are protected by Kerberos will ask to see your Kerberos "ticket" before they will let you in. At MIT there are many native applications (in contrast to web applications) which use the Kerberos protocol for authentication. Some of these include the native clients for SAP, TechTime, COEUS, and Jabber. In particular you obtain Kerberos tickets when you log into an Athena workstation or a machine in the WIN.MIT.EDU Domain.   

Users of Athena and WIN.MIT.EDU may find the use of Kerberos tickets in conjunction with MIT Touchstone enabled applications particularly attractive. By using this feature you will have already performed the necessary authentication when you logged into the workstation. If your browser is configured correctly, and you have set a preference to use this feature, each time you attempt to access a Touchstone enabled application you will quickly be granted access without being prompted for any additional information.

What if I don't have a Kerberos username?

If you do not have a Kerberos username and you are a member of the MIT community or an affiliate, then you need to register for an Athena user account . Please see IS&T's page about "Creating and Using Your MIT Kerberos Indentity".

If you are not eligible for an MIT Kerberos username, and there is no "public" version of the page or web site you were trying to access, you might not be able to get access because the MIT service is not available to the public.

MIT Touchstone applications in use today also have a local account management system so that they may be used by people that do not have an MIT Kerberos username. Those users should not use the Touchstone@MIT login page. Instead the Touchstone enabled application that you are intending to use should have an alternate login page for your use. Unfortunately, each application manages this type of authentication in itw own way. Users with this type of account should refer to the application specifc help pages.

MIT Touchstone enabled applications also support federated authentication with a limited number of partners using a product and technology called Shibboleth. Today we share metadata with ProtectNetwork, so the Touchstone enabled application that you are intending to use may also support authenticating via ProtectNetwork's login server. MIT does not currently run a Shibboleth WAYF server, so it is up to each Touchstone application to provide a page which enables users from other identity providers to authenticate. You should check the documentation or support pages for the particular application you are trying to access to determine if you may use other Shibboleth identity providers to access the application.

Help! I still can't log in!

Error messages and descriptions:

Missing or Incorrect username and/or Password: To authenticate to MIT Touchstone, you must provide both your username and its password. If you have forgotten your username or password or need other assistance with them, please contact the IS&T Help Desk at 617.253.1101 or computing-help@mit.edu.

Enabling cookies on your web browser: The MIT Touchstone system requires that your web browser accept "cookies", small files that web servers send to your computer. MIT Touchstone uses them for security and verification. Having a cookie for an MIT Touchstone web site identifies you to the site and allows you to continue from one page of the site to another without having to login each time. You can usually enable cookies in the Settings or Preferences panels of your browser program.

Time expired before you were able to login: You must enter your username and password within 5 minutes of the MIT Touchstone login screen appearing in your browser window. After that time has elapsed, you must re-initiate the request for the web page or service you want to access by re-entering the URL in the address bar or by returning to the original site which first asked you to authenticate. Reloading the MIT Touchstone login will not work, as you must be directed to the MIT Touchstone login page from your original application due to technology limitations.

If you continue to have login problems, please call the Computing Help Desk at 617.253.1101.

5 Comments

  1. I made edits to the text, style and links of the final version here: https://web.mit.edu/jbink/Public/WORK/webSSO/help.html

  2. In the "What if I don't have a Kerberos username?" section there should be an external link to a page that lists which Touchstone applications are willing to accept 3rd party authentications and links into those applications to find instructions on how to use those services.

  3. Certificate related text has been struckthrough temporarily. The certificate option has been removed until we resolve some UI issues when dealing with them. The first two applications ready for pilot already handle certificates internally and users will only end up at the Touchstone login page if they don't have a working certificate.

  4. This seems a little convoluted: 

    "If you have an email account at MIT that has an address that has the form <username>@mit.edu"

     Maybe "If you have an email account at MIT with the form <username>@mit.edu"?

    1. Thanks. I've made the suggested change. (I think I had earlier made a transcription error when trying to incorporate suggested text from someone else.)