XSEDE Capability Delivery Plan for "CAN-06: Authenticate to one or more SP resources, SP services, and XSEDE central services"

Use Case CAN-06: Authenticate with an application

Area: Enabling Functions
URLs: Public, Review

Executive Summary: An individual needs to securely share his or her identity with an application in order to use a feature that requires authorization.

URLs: Public
First CDP: 2017-12-14
Current CDP: 
Current Implementation Status: 
Issues to be Addressed: 
Issues Remaining: 
  • XSEDE's Zimbra briefcase feature to share files securely (zimbra.xsede.org; needed for IMAP and POP for some apps.)
  • Searchable archives of XSEDE mailing lists (mhonarc.xsede.org)
  • XSEDE's Sharepoint service (​https://share.sdsc.edu/xsede​)
This capability is currently supported by the following 7 components:
Component User facing? Component’s role in the capability
Genesis II Secure Token Service (WS-Trust STS) no An externally supported service that translates XSEDE OAuth2 tokens (user identity, group membership) obtained from Globus Auth and XUP into the signed SAML chains required by XSEDE Genesis II and UNICORE services, including GFFS. ​ The WS-STS helps provide SSO for SOAP web services and we have no gaps for WS-STS at this time. ​ Also: “WS​ Trust Secure Token Service (STS) for translating OAuth 2.0 tokens into signed SAML assertions. This translation is used by Genesis II clients to obtain the signed SAML credentials needed to use Genesis II and UNICORE clients and services, including both GFFS and remote job submission. Note that Genesis II clients have a pre​ existing workaround that uses XSEDE’s Kerberos services instead of the Globus Auth service, which produces a similar result but won’t work with the user-​ defined group features mentioned above.” FROM: Reference 3 below.
Globus Auth yes Provides the authentication service used by end users to login to XUP and obtain an XSEDE OAuth2 token that can be used with other XSEDE services, plus the ability for end users to link their XSEDE identities with non-​ XSEDE identities (e.g., InCommon campus identities, DOE and other agency identities, etc.). Activity XCI-2 produced a document that Science Gateways can use to support XSEDE authentication.
Globus Toolkit GSISSH Setup on SSO Hub yes An SSH service hosted by XSEDE that allows XSEDE end users to login using their XSEDE user identity and connect to XSEDE SP resources (where they are authorized) without entering additional user credentials.
Kerberos no The repository that stores XSEDE usernames and passwords and authenticates XSEDE identities for Globus Auth.
MyProxy no A service hosted by XSEDE that translates XSEDE username and password (see Kerberos above) into X.509 proxy certificates required by some XSEDE and legacy TeraGrid services.
XSEDE Central Database (XCDB) no The repository that stores XSEDE user profile data, including everything except usernames and passwords (see Kerberos, below), user​ defined groups (currently unimplemented), and links with non​ -XSEDE identities (see Globus Auth, below).
XSEDE User Portal (XUP) yes portal.xsede.org​ . The front​ end user interface to the XSEDE system where end users register with XSEDE, manage their user profile information, and request allocations to use XSEDE SP resources. Web SSO is provided via the ‘Other Sign In Options’ SignIn option, which uses 3-legged Globus Auth.