XSEDE Capability Delivery Plan for "CB-01: InCommon-based Authentication"

Use Case CB-01: InCommon-based Authentication

Area: Community Building
URLs: Public, Review

Executive Summary: A campus IT administrator would like researchers at his/her campus to be able to login to XSEDE resources using InCommon-based authentication mechanisms.

URLs: Public
First CDP: 2016-11-22
Current CDP: 
Current Implementation Status: 
Issues Remaining: 
  • XSEDE authentication still required
  • Relationship with 3rd­party InCommon Identity Provider not established
  • Web based interface to shell window not provided
This capability is currently supported by the following 3 components:
Component User facing? Component’s role in the capability
Globus Auth yes Globus Auth is an identity and access management (IAM) platform service. Globus Auth relies on CILogon for InCommon SAML authentication. Globus Auth provides an OAuth (OpenID Connect) interface for integration of IAM capabilities with XSEDE­operated services, XSEDE Level 1­3 resources, and campus IT resources. Globus Auth provides the mapping between InCommon identities and XSEDE identities, authorization, group management, and accounting functions.
XSEDE InCommon Identity Provider (IdP) yes CILogon enables XSEDE users to log in using InCommon SAML authentication. CILogon is an InCommon SAML Service Provider. CILogon provides an OAuth (OpenID Connect) interface for integration with other XSEDE components (e.g., Globus Auth) and an IGTF accredited Certification Authority for issuing certificates based on InCommon SAML authentication for use with XSEDE certificate­enabled services (e.g., GSISSH, GridFTP, UNICORE).
XSEDE User Portal (XUP) yes The XSEDE User Portal (XUP) supports InCommon­based authentication (currently via CILogon, soon via Globus Auth). The XUP also provides a front­end to the XSEDE Resource Allocation Service (XRAS), with support for InCommon­based authentication.