Identity Management Services

Identity Management Services ensure that only authorized users may gain access to laboratory resources. In addition to your Berkeley Lab Identity, access to some resources may require or benefit from other, related services. Below, you'll find more information about where and how to access these.

For help with any Identity Management Services, please contact the Help Desk at help@lbl.gov.

Identity and Access Management

  • Berkeley Lab Identities

    Your Berkeley Lab Identity was created for you when you join the Laboratory. Your Berkeley Lab Identity username and password are your most commonly used credentials.

    Change your Berkeley Lab Identity password

    Reset your Berkeley Lab Identity password

    Update your Phonebook information

    Tips for choosing a password

  • Active Directory

    Active Directory is used to login to managed Windows workstations and to access some shared file services.

    Change your Active Directory password

    Support documentation

  • Multifactor Authentication

    Multifactor Authentication (MFA) offers an additional layer of security for your Berkeley Lab Identity, protecting you against credential theft. Some systems already require MFA, and you can opt-in to require MFA protection for your SSO logins.

    MFA Token Management

    Opt-in to MFA (you must have already enrolled via Token Management before you can access this service)

    Support documentation for MFA

  • StrongID

    StrongID is a two-factor authentication method, supported by a physical Yubikey or Google Authenticator soft token, which supports access to business systems and computers containing sensitive information. StrongIDs are issued based on job duties and responsibilities.

    Manage StrongID Tokens

    Support documentation for StrongID

  • Level 4 ID

    Level 4 IDs are issued to only a small number of LBL employees who manage critical systems infrastructure. Level 4 ID tokens are issued based on job duties and responsibilities.
  • Enterprise Directory (LDAP)

    The Enterprise Directory stores information about both your Berkeley Lab Identity, as well as other information, such as your phone number and location.

    How to use the Enterprise Directory

  • Web Single Sign-On

    The Web Single Sign-On (SSO) services make it possible for web application developers to integrate their applications with the array of identity and access management capabilities listed on this page. Multiple protocols (SAML, OpenID Connect, and CAS) are available to suit most needs. The use of the SSO system for web applications helps protect user credentials by not exposing them to potentially vulnerable systems.

    Contact the IT Help Desk to find out how to integrate your application.

  • eduroam

    eduroam is a worldwide Wi-Fi access point authentication system, permitting associated of member institutions to access Wi-Fi resources using their home institution credentials.

    Support documentation for eduroam

  • RADIUS

    RADIUS is a widely supported authentication, authorization, and accounting protocol, which makes it possible to rapidly integrate Laboratory systems -- particularly UNIX systems -- with our multifactor authentication systems. If you're interested in bringing MFA to individual hosts that are accessed via SSH, contact the IT Help Desk

Related Services

  • Scientific Computing ID

    The Lawrencium cluster is open to all Berkeley Lab researchers needing access to high performance computing.

    Get a Scientific Computing ID

  • Password Manager

    The use of a password manager greatly improves the security of your identities online by encouraging the secure storage of longer, more complex passwords. IT User Support strongly recommends the use of a password manager, such as LastPass

    Support documentation for LastPass

  • Virtual Private Network (VPN)

    Virtual Private Networks (VPN) establish encrypted tunnels for the secure transfer of information. Because the data that passes through is encrypted, it it protected by unauthorized snooping. Berkeley Lab requires the use of VPN for offsite access to some systems.

    Download Cisco AnyConnect

    Support documentation for VPN