D-PHYS SSO (single-sign-on)¶

Over the years, we've rolled out quite a number of (web based) services, most of which authenticate against our LDAP server. Technology evolves and modern protocols like OIDC/OAuth allow new features like single-sign-on and passkeys. That's why in 2026 we started migrating compatible (web) services to our Authentik auth provider that will make using our services more seamless and secure.

How it works¶

Instead of logging into each separate web app, these applications forward your login request to Authentik which then redirects back after a successful login. Each subsequent app will reuse the existing Authentik session so that login is automatic and almost instantaneous.

Security¶

Since in this setup, your login grants access to a whole range of applications, we implemented a policy that enforces the use of MFA (via TOTP, exactly the same technology that ETH ID also uses). On your first login to Authentik, it will guide you through the MFA enrollment process.

Convenience¶

Even though we believe having to enter your TOTP once to unlock a whole range of services isn't too bad, we offer something even more convenient: passkeys. In combination with our vaultwarden service or any other passkey-enabled password manager, your initial D-PHYS login will be reduced to literally 2 clicks.

How to enroll your D-PHYS passkey¶

• make sure you have a passkey-capable password manager
• log into Authentik via D-PHYS username + password + MFA
• either click on this link or in the Authentik dashboard click on the gear icon -> Credentials -> Enroll -> WebAuthn device
• your password manager will open and ask you to choose a login to save the passkey to
• you probably want to use your existing D-PHYS account
• on your next Authentik login, click on Use a security key and select your passkey

Backup keys¶

Note that Authentik allows you to register multiple TOTPs (Enroll -> TOTP device), passkeys (Enroll -> WebAuthn device) or even USB hardware tokens (Yubikey, Nitrokey..., also Enroll -> WebAuthn device).