Motivation

On February 6 the authentication behavior for some CZ and RZ LC web services – Confluence, Jira, and GitLab - will be changing. This is one step of a multi-step effort to modernize and extend the LC web authentication capabilities. One major goal is to allow users from LANL and SNL to use OneID authentication rather than requiring use of LLNL RSA tokens. Another benefit of the changes is that Confluence, Jira, and GitLab will share an authentication session within the same zone (CZ or RZ), allowing you to use multiple of these services with a single authentication.

What’s Next?

The OneID authentication option will eventually extend to LLNL users, allowing them to either use RSA tokens or other forms of LLNL MFA when authenticating to LC web services. We also expect to extend this option in the coming months to other LC web services, such as MyLC and JupyterHub. These changes will migrate to the SCF at a later date.

Details of Changes

Authentication behavior for some LC web applications will be changing on February 6. This affects Confluence, Jira, and GitLab. The changes are summarized here:

Application / Service Change Notes
CZ Confluence, Jira, GitLab

LLNL users: New login page will use OUN rather than LC username, along with the appropriate CZ RSA OTP.
LANL & SNL users: New login page will have a OneID button which leads to local site's OneID page allowing authentication with site MFA.

Screenshot of CZ login panel

CZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication.

For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with:

Screenshot of username submission panel
RZ Confluence, Jira, GitLab

LLNL & SNL users: New login page which uses OUN rather than LC username, along with the appropriate RZ RSA OTP.
LANL users: New login page will have button pointing to LANL's OneID page, allowing authentication with LANL MFA.
 

Screenshot of RZ login panel

RZ Confluence, Jira, and GitLab will all share an authentication session - i.e., signing in to one will get you into the others without any additional authentication.

SNL use of OneID for RZ web services is pending configuration changes at SNL.

For users with multiple LC identities, such as service user accounts, the login process will now include a separate step to select the LC identity you wish to login with:

Screenshot of RZ username panel
CZ / RZ MyLC, Custom Content Directories, JupyterHub No change from today - the login page and process will remain the same. At a later stage we expect to incorporate the new login options to these services.
CZ / RZ git-over-https No longer will allow conventional username + password authentication when performing git-over-https operations on LC GitLab instances (CZ, RZ). Must use Personal Access Token in lieu of password. Details below. Preferred mitigation is to switch to git-over-ssh; setting up keys is described here.

NOTEThis page was updated February 2026. The content which originally appeared below can now be found at

Using a Personal Access Token for Git-over-HTTPS