Research Software Portal
Provided by XSEDE
XSEDE Capability Delivery Plan for "CAN-06: Authenticate to one or more SP resources, SP services, and XSEDE central services"
Primary tabs
Use Case CAN-06: Authenticate with an application
Area: Enabling FunctionsURLs: Public, Review
Executive Summary: A community member needs to securely share his or her identity with an application in order to use a feature that requires authorization. The community member is a researcher, student, staff member, or other involved party. The application may be a website or web application, a locally-installed application or mobile app, a network service (e.g., SSH, GridFTP), or an application interface (API) accessed via software.
Organization:
XSEDE
First CDP: 2017-12-14
Current CDP:
Current Implementation Status:
Issues to be Addressed:
Issues Remaining:
- XSEDE's Zimbra briefcase feature to share files securely (zimbra.xsede.org; needed for IMAP and POP for some apps.)
- Searchable archives of XSEDE mailing lists (mhonarc.xsede.org)
- XSEDE's Sharepoint service (https://share.sdsc.edu/xsede)
This capability is currently supported by the following 7 components:
| Component | User facing? | Component’s role in the capability |
|---|---|---|
| Genesis II Secure Token Service (WS-Trust STS) | no | An externally supported service that translates XSEDE OAuth2 tokens (user identity, group membership) obtained from Globus Auth and XUP into the signed SAML chains required by XSEDE Genesis II and UNICORE services, including GFFS. The WS-STS helps provide SSO for SOAP web services and we have no gaps for WS-STS at this time. Also: “WS Trust Secure Token Service (STS) for translating OAuth 2.0 tokens into signed SAML assertions. This translation is used by Genesis II clients to obtain the signed SAML credentials needed to use Genesis II and UNICORE clients and services, including both GFFS and remote job submission. Note that Genesis II clients have a pre existing workaround that uses XSEDE’s Kerberos services instead of the Globus Auth service, which produces a similar result but won’t work with the user- defined group features mentioned above.” FROM: Reference 3 below. |
| Globus Auth | yes | Provides the authentication service used by end users to login to XUP and obtain an XSEDE OAuth2 token that can be used with other XSEDE services, plus the ability for end users to link their XSEDE identities with non- XSEDE identities (e.g., InCommon campus identities, DOE and other agency identities, etc.). Activity XCI-2 produced a document that Science Gateways can use to support XSEDE authentication. |
| Globus Toolkit GSISSH Setup on SSO Hub | yes | An SSH service hosted by XSEDE that allows XSEDE end users to login using their XSEDE user identity and connect to XSEDE SP resources (where they are authorized) without entering additional user credentials. |
| Kerberos | no | The repository that stores XSEDE usernames and passwords and authenticates XSEDE identities for Globus Auth. |
| MyProxy | no | A service hosted by XSEDE that translates XSEDE username and password (see Kerberos above) into X.509 proxy certificates required by some XSEDE and legacy TeraGrid services. |
| XSEDE Central Database (XCDB) | no | The repository that stores XSEDE user profile data, including everything except usernames and passwords (see Kerberos, below), user defined groups (currently unimplemented), and links with non -XSEDE identities (see Globus Auth, below). |
| XSEDE User Portal (XUP) | yes | portal.xsede.org . The front end user interface to the XSEDE system where end users register with XSEDE, manage their user profile information, and request allocations to use XSEDE SP resources. Web SSO is provided via the ‘Other Sign In Options’ SignIn option, which uses 3-legged Globus Auth. |
© XSEDE All Rights Reserved. Visit the Feedback page for assistance or to provide feedback.
The Extreme Science and Engineering Discovery Environment is supported by the National Science Foundation.
Administrative Login