Executive Summary: A community member needs to securely share his or her identity with an application in order to use a feature that requires authorization. The community member is a researcher, student, staff member, or other involved party. The application may be a website or web application, a locally-installed application or mobile app, a network service (e.g., SSH, GridFTP), or an application interface (API) accessed via software.
Component | User facing? | Component’s role in the capability |
---|---|---|
no | An externally supported service that translates XSEDE OAuth2 tokens (user identity, group membership) obtained from Globus Auth and XUP into the signed SAML chains required by XSEDE Genesis II and UNICORE services, including GFFS. The WS-STS helps provide SSO for SOAP web services and we have no gaps for WS-STS at this time. Also: “WS Trust Secure Token Service (STS) for translating OAuth 2.0 tokens into signed SAML assertions. This translation is used by Genesis II clients to obtain the signed SAML credentials needed to use Genesis II and UNICORE clients and services, including both GFFS and remote job submission. Note that Genesis II clients have a pre existing workaround that uses XSEDE’s Kerberos services instead of the Globus Auth service, which produces a similar result but won’t work with the user- defined group features mentioned above.” FROM: Reference 3 below. | |
Globus Auth | yes | Provides the authentication service used by end users to login to XUP and obtain an XSEDE OAuth2 token that can be used with other XSEDE services, plus the ability for end users to link their XSEDE identities with non- XSEDE identities (e.g., InCommon campus identities, DOE and other agency identities, etc.). Activity XCI-2 produced a document that Science Gateways can use to support XSEDE authentication. |
Globus Toolkit GSISSH Setup on SSO Hub | yes | An SSH service hosted by XSEDE that allows XSEDE end users to login using their XSEDE user identity and connect to XSEDE SP resources (where they are authorized) without entering additional user credentials. |
Kerberos | no | The repository that stores XSEDE usernames and passwords and authenticates XSEDE identities for Globus Auth. |
MyProxy | no | A service hosted by XSEDE that translates XSEDE username and password (see Kerberos above) into X.509 proxy certificates required by some XSEDE and legacy TeraGrid services. |
XSEDE Central Database (XCDB) | no | The repository that stores XSEDE user profile data, including everything except usernames and passwords (see Kerberos, below), user defined groups (currently unimplemented), and links with non -XSEDE identities (see Globus Auth, below). |
XSEDE User Portal (XUP) | yes | portal.xsede.org . The front end user interface to the XSEDE system where end users register with XSEDE, manage their user profile information, and request allocations to use XSEDE SP resources. Web SSO is provided via the ‘Other Sign In Options’ SignIn option, which uses 3-legged Globus Auth. |