XSEDE Capability Delivery Plan for "CB-08: Use XSEDE SSO with campus login servers"

Use Case CB-08: Use XSEDE SSO with campus login servers

Area: Community Building
URLs: Public, Review

Executive Summary: A campus IT administrator wants to allow XSEDE­-registered researchers to login to campus login servers (remote command shell) using their XSEDE usernames/passwords.

URLs: Public
First CDP: 2017-01-23
Current CDP: 
Current Implementation Status: 
Issues to be Addressed: 
This capability is currently supported by the following 9 components:
Component User facing? Component’s role in the capability
AMIE no The Accounting and Account Management (AMIE) system provides mappings between the user's campus identity and XSEDE identity, enabling remote login via GSISSH to the campus login server from the XSEDE SSO Hub. The campus IT administrator will need to install AMIE software on the campus login server(s) to handle AMIE packets and then the campus IT administrator will need to process the packets to create the needed account mappings (i.e., populate the local grid-mapfile used by GSISSH to map XSEDE certificate identities to local campus accounts).
Globus Toolkit GSISSH Client/Server yes GSISSH is a Secure Shell (SSH) implementation that supports certificate-based authentication. Researchers use GSISSH to log in to campus login servers from the XSEDE SSO Hub. GSISSH requires a grid-mapfile on the campus login server that maps XSEDE certificate identities to local campus accounts.
Globus Toolkit GSISSH Setup on SSO Hub yes The SSO Hub automatically creates accounts for XSEDE users on active allocations. When users log in to the SSO Hub, it loads a certificate into the user session, so they can use GSISSH to log in to XSEDE SPs and campus login servers.
Information Publishing Framework (IPF) no The campus IT administrator will register the campus login server(s) as supporting the login.remoteshell.gsi via the Resource Information Publishing Framework (IPF) so these login resources can be automatically supported by the SSO Hub.
Resource Description Repository (RDR) no The campus HPC/HTC/storage/Viz resource must be registered as a resource in the Resource Description Repository (RDR) to enable AMIE processing.
XSEDE CA Certificate Installer no The campus IT administrator will need to install the bundle of XSEDE trusted CAs to enable GSISSH access.
XSEDE Central Database (XCDB) no The campus IT administrator 1) registers his/her campus login service(s) in the XSEDE Central Database (XCDB) as a resource eligible for L3 Resource Login Allocations, 2) establishes an allocation associated with that resource in the XCDB, and 3) adds researchers to that allocation. XCDB generates AMIE packets linking the researchers' campus and XSEDE identities.
XSEDE MyProxy no MyProxy issues certificates to XSEDE users on active allocations to enable single sign-on (SSO). To enable SSO access by campus researchers, the campus IT administrator must add those researchers to an L3 Resource Login Allocation, so they can obtain certificates from MyProxy.
XSEDE User Portal (XUP) yes The XSEDE User Portal (XUP) provides the interfaces for managing accounts and allocations.