How can I register for the SSO portal?

To register for SSO for the first time, follow these steps:
Log in with your university credentials at https://sso.haw-landshut.de.




In the next window click on „Token registrieren“.



Subsequently, you will receive a password (registration code) of a so-called "registration token" to your university e-mail address, with which you can register once as a second factor.

This is not enough for the future! Please set up a second factor via "2FA token" immediately after the first login!



For professors at the Hochschule, this is usually a U2F security key,

for lecturers and students this is usually a TOTP token.

What is a token and how do I get one?

Are you a professor at the Hochschule?

In this case, you will receive a cost-locked U2F Security Key at Service IT, in room N106. You will need this key before proceeding with the SSO registration process..

Are you a student or faculty member at the university??

Then please install a TOTP app of your choice on your smartphone or purchase a U2F security key if necessary. You should have a TOTP app installed before logging into the SSO portal for the first time.

Which TOTP apps can you install? Please see our listing below under "Token Options: Tabular view".

How can I log in to the SSO portal?

Log on to https://sso.haw-landshut.de with your log in information.



After you have logged in with user name and password:


Case 1

You received an email to your Hochschul-email address with the one-time registration password after you registered.

Authentication method:

TOTP: Token einrichten: TOTP or
Token einrichten: TOTP


or

U2F: Token einrichten: U2F Security Key or
Token einrichten: U2F Security Key



Case 2

You have already successfully registered:

TOTP:
Enter the six- or eight-digit token from the authenticator app (e.g. FreeOTP, Google Authenticator, WinAuth).
Note that each token is valid for only 30 or 60 seconds, after which a new token is generated.

U2F:
Click on the "Activate Security Key" button and wait until your key lights up.
Then press your finger once on your key.


 

Set up token: TOTP

Requirements:

  • Hochschul-account
  • Smartphone/tablet on which an Authenticator app, e.g. "Free OTP", is installed.

 

Step 1
Please close your web browser (Firefox) completely and open it again.

Step 2
Log in at https://sso.haw-landshut.de with your Hochschul log in data.




Step 3
Entering the one-time registration password from the registration email and clicking on Login.




Step 4
 Click on Anmelden



 

Step 5
 Click on 2FA-Token

 

 

Step 6
Click on Token ausrollen
 

 

Step 7
Click on Token ausrollen
 

 

Step 7
Scan the QR code with e.g. the "Free OTP" app.


Info:

  • If the rollout was done in the browser of the smartphone/tablet that would need to scan the code, the link shown below can also be clicked at the word "here". This way, the token can be transferred to Free OTP even without the QR code.
  • For IOS devices that use Free OTP, additional information is requested after scanning: Simply enter "HAW Landshut" as the token provider. All other settings can be chosen arbitrarily.

 

 


Subsequently, the 6-digit number, which is renewed in the Authenticator app every 30 seconds, serves as the password for the 2nd factor during login.

 

 

Set up token: U2F Security Key

A U2F token is a USB security key that supports the FIDO U2F protocol. You can buy a USB key from various suppliers - kaufen.

You can register a new U2F token for SSO login in our token self-service https://pi.haw-landshut.de/

Under "Roll out token", select the option "Enroll a U2F token.". Insert your USB security key into the USB port.

The key should then flash briefly. The device may have to be set up first. This will take a moment.

Then press the "Token ausrollen" button below it as shown in the following screenshot.



You will be prompted by the system to press the security key. As soon as the key flashes in the center - this can be the case before or after confirming a popup that appears, depending on your settings - press it (very gently). After pressing it, your security key is registered and can be used as a 2nd factor in SSO login.

ATTENTION: In the future, as soon as you click on "Activate Security Key" on the 2nd factor page during registration and then tap on the flashing key, it is possible, if this is the first registration with the key, that it will not be accepted. However, this will only happen this once. You can try it again right after that.

U2F Token Deprecated in Februar 2022 (Google Chrome)

If you have a U2F token and use Google Chrome as your browser, then you have probably already seen the following info in your browser:

 

To work around this error, please press "Allow", after that the security key will work as usual.

The error message is displayed in Chrome < V. 98, which is available since 02.02.2022. As of v. 98, the security key is no longer supported in Chrome. Please do not start an update manually if not already done automatically.

https://developer.chrome.com/blog/deps-rems-95/#deprecate-u2f-api-cryptotoken

The security keys are also no longer supported in Microsoft Edge.

Firefox is not affected and the U2F Keys can still be used with Firefox.

WTo be on the safe side, we also recommend that you register a TOTP token by March, as described in our FAQs above.

using U2F mobile

Prerequisite: The security key must have an NFC interface!

Open the login page on your mobile device. In the 2nd step ("Token eingeben"), press the "Security Key aktivieren":


At the same time, hold the Security Key close to the back of the smartphone (on an iOS device, to the top) and press the golden button:



You are now logged in.

Please note: Some mobile browsers do not support the U2F protocol. We have tested the login on Android with Google Chrome so far.

How can I change my password?

Log in at https://sso.haw-landshut.de with your access data. Then click on "Password" in the overview and enter your new password 2x.



Please pay attention to the password guidelines:
The new password should:

be between 8 and 15 characters long both lowercase and uppercase letters and numbers do not contain umlauts, ß, or spaces do not contain special characters other than the following: - # ! ? {} : ;

How can I reset my password?

If you have forgotten your password, please go to https://sso.haw-landshut.de/pwreset/
Now there are two possibilities:



Possibility 1 (Professors & staff with certificate, students before WS 19/20 with certificate):
If you have imported your certificate in the browser, you can click on "I have a DFN certificate!" at the top. Now confirm the certificate request. Afterwards you can set a new password.

Possibility 2 (All others):
Under "Username", please enter your Hochschul ID, which you also use to log on to the Hochschul computers. A token will then be sent to your Hochschul email address (or to the appropriate forwarding address), which you can use to log in at  https://sso.haw-landshut.de/resetcode and set a new password.

Furthermore, in one of these ways it is possible to indicate that you have forgotten your old password:

In the login screen, select „Passwort vergessen?“





OR

Select „Passwort“ in the user portal.



Then click on „Altes Passwort vergessen?“



I lost my token, what do I do now?

If you have lost your token, please log in at https://sso.haw-landshut.de with your Hochschul information. Then click below on "Token verloren".



In the email window that opens, please enter your user name and email address. If these data match the ones we have stored, you will then receive a one-time token by email, which will give you access to your account again.

Set up a new token right away and deactivate the lost one!

IMPORTANT: I can't log in even though I have a valid TOTP token?!

Are you absolutely sure that you have used the token successfully before and can therefore exclude that
- it is the wrong SHA algorithm
- as well as you have typed a current TOTP
 and
- when trying to log in, the TOTP token is also displayed in the list of valid tokens
as well as
- you also did not make any mistake when opening the page such as accidentally opening an error page by auto-completion

then this means that your token has a low timeShift. Since the token is time-dependent, the server influences the timeShift value of your token. If it is too low, the server will not accept the value you enter.

Is the token useless now?
Yes, but only temporarily. The value can be reduced or the token resynchronized on the server side.

If you have a second token and can log in to the portal with it:

Resynchronize your token. Open the token and enter 2 current TOTP values of the same token:



Other tips about this you can find below.

If you are not able to log in to the portal at all:

Call the service IT. If you have your app at hand, this conversation will take about 5 minutes. The service IT then needs two very recent consecutive TOTP values from you, so that the token has resynchronized (therefore a phone call or an on-site appointment is necessary - it is no use to write two values into a mail, because they are already too old when the request is processed).

If you do not have time for a phone call or an on-site meeting when the problem occurs, or if the Service IT is currently too busy with requests, please send a ticket to ticket@haw-landshut.de so that your registration token can alternatively be reset for you and you can use it to get back into the portal so that a new one can be rolled out.

How is this timeShift created?
The timeShift is affected when logging in with the TOTP - on the server side - the apps and their tokens themselves do not connect to the server, but the token is still the same, so the value is not accepted as mentioned above. Each token has its own timeShift. You can't control it perfectly, but you are not helpless with it either. timeShift values can also go in the other direction (you want the value to go towards 0.0, not away from it).


What can you do?
In fact, apart from the above mentioned possibilities, you have a few other relatively good and simple ways to ensure that the value does not get too low or that it recovers: Always take a new value in your app after you let the timer go off. This way your timeshift will drop much slower or even recover. The server always checks when you last logged in during the validity of the other TOTP. If you have currently logged in with a timer lower than before, the timeShift will decrease (this is bad for the token), but if you have logged in with a timer value higher than the last one, it will recover.


So this means: Always wait until your timer expires if it is already too low. Alternatively you can decide between a token with already almost expired timer and then a new timer next time. This would mean that your timeShift always decreases, then recovers, etc. Or: If you always log in when the timer is at the same number as usual (repeatedly hard to do in real), nothing even happens to the timeShift value at all.

You can also do a little timeShifting yourself within your profile:



To do this, look at the token in the app and then enter a TOTP value with the timer still as high as possible. This is not quite as effective as a resync (which you should better do instead), but it also prevents the case that you lock yourself out.

Do you have any tips on what else could be done?
It is advisable, should you ever be in the service portal again, to roll out at least a second TOTP token. Use this token only for important events (such as exam registrations, for example). This way you will have one that you can use to enter the portal, because the version of the token that is on the server will only be affected if it is really in use. This means that if you are locked out with another token and you don't have time to make a phone call or the service IT can't take care of your problem in time, you will at least have this emergency token for important days.
If you don't go to the portal often, a single token might be enough (which doesn't mean that it won't have to be reset by the service IT at some point, of course, this token can also get an invalid value sooner or later).

But that's complicated - can't you do anything else?
Since time is of the essence, you can't - at least not with TOTP tokens. You can purchase a U2F key if you want to.

Token options: Tabular view