XSEDE Capability Delivery Plan for "CAN-06: Authenticate to one or more SP resources, SP services, and XSEDE central services"
Use Case CAN-06: Authenticate to one or more SP resources, SP services, and XSEDE central services
Area: Enabling FunctionsURLs: Public
First CDP: 2017-12-14
Current Implementation Status:
Issues to be Addressed:
Issues Remaining:
- XSEDE's Zimbra briefcase feature to share files securely (zimbra.xsede.org; needed for IMAP and POP for some apps.)
- Searchable archives of XSEDE mailing lists (mhonarc.xsede.org)
- XSEDE's Sharepoint service (https://share.sdsc.edu/xsede)
This capability is currently supported by the following 7 components:
| Component | User facing? | Component’s role in the capability |
|---|---|---|
| Genesis II Secure Token Service (WS-Trust STS) | no | An externally supported service that translates XSEDE OAuth2 tokens (user identity, group membership) obtained from Globus Auth and XUP into the signed SAML chains required by XSEDE Genesis II and UNICORE services, including GFFS. The WS-STS helps provide SSO for SOAP web services and we have no gaps for WS-STS at this time. Also: “WS Trust Secure Token Service (STS) for translating OAuth 2.0 tokens into signed SAML assertions. This translation is used by Genesis II clients to obtain the signed SAML credentials needed to use Genesis II and UNICORE clients and services, including both GFFS and remote job submission. Note that Genesis II clients have a pre existing workaround that uses XSEDE’s Kerberos services instead of the Globus Auth service, which produces a similar result but won’t work with the user- defined group features mentioned above.” FROM: Reference 3 below. |
| Globus Auth | yes | Provides the authentication service used by end users to login to XUP and obtain an XSEDE OAuth2 token that can be used with other XSEDE services, plus the ability for end users to link their XSEDE identities with non- XSEDE identities (e.g., InCommon campus identities, DOE and other agency identities, etc.). Activity XCI-2 produced a document that Science Gateways can use to support XSEDE authentication. |
| Globus Toolkit GSISSH Setup on SSO Hub | yes | An SSH service hosted by XSEDE that allows XSEDE end users to login using their XSEDE user identity and connect to XSEDE SP resources (where they are authorized) without entering additional user credentials. |
| Kerberos | no | The repository that stores XSEDE usernames and passwords and authenticates XSEDE identities for Globus Auth. |
| MyProxy | no | A service hosted by XSEDE that translates XSEDE username and password (see Kerberos above) into X.509 proxy certificates required by some XSEDE and legacy TeraGrid services. |
| XSEDE Central Database (XCDB) | no | The repository that stores XSEDE user profile data, including everything except usernames and passwords (see Kerberos, below), user defined groups (currently unimplemented), and links with non -XSEDE identities (see Globus Auth, below). |
| XSEDE User Portal (XUP) | yes | portal.xsede.org . The front end user interface to the XSEDE system where end users register with XSEDE, manage their user profile information, and request allocations to use XSEDE SP resources. Web SSO is provided via the ‘Other Sign In Options’ SignIn option, which uses 3-legged Globus Auth. |
