XSEDE Capability Delivery Plan for "CB-01: InCommon-based Authentication"

Use Case CB-01: InCommon-based Authentication

Area: Community Building
URLs: Public, Review

Executive Summary: A campus IT administrator would like researchers at his/her campus to be able to login to community resources using InCommon-based authentication mechanisms.

Organization: 
XSEDE
URLs: Public
First CDP: 2016-11-22
Current Implementation Status: 
Issues Remaining: 
  • XSEDE authentication still required
  • Relationship with 3rd­party InCommon Identity Provider not established
  • Web based interface to shell window not provided
This capability is currently supported by the following 3 components:
Component User facing? Component’s role in the capability
Globus Auth yes Globus Auth is an identity and access management (IAM) platform service. Globus Auth relies on CILogon for InCommon SAML authentication. Globus Auth provides an OAuth (OpenID Connect) interface for integration of IAM capabilities with XSEDE­operated services, XSEDE Level 1­3 resources, and campus IT resources. Globus Auth provides the mapping between InCommon identities and XSEDE identities, authorization, group management, and accounting functions.
yes CILogon enables XSEDE users to log in using InCommon SAML authentication. CILogon is an InCommon SAML Service Provider. CILogon provides an OAuth (OpenID Connect) interface for integration with other XSEDE components (e.g., Globus Auth) and an IGTF accredited Certification Authority for issuing certificates based on InCommon SAML authentication for use with XSEDE certificate­enabled services (e.g., GSISSH, GridFTP, UNICORE).
yes The XSEDE User Portal (XUP) supports InCommon­based authentication (currently via CILogon, soon via Globus Auth). The XUP also provides a front­end to the XSEDE Resource Allocation Service (XRAS), with support for InCommon­based authentication.