XSEDE Capability Delivery Plan for "CB-08: Use XSEDE SSO with campus login servers"
URLs: Public, Review
Executive Summary: A campus IT administrator wants to allow XSEDE-registered researchers to login to campus login servers (remote command shell) using their XSEDE usernames/passwords.
First CDP: 2017-01-23
|Component||User facing?||Component’s role in the capability|
|Globus Toolkit GSISSH Client/Server||yes||GSISSH is a Secure Shell (SSH) implementation that supports certificate-based authentication. Researchers use GSISSH to log in to campus login servers from the XSEDE SSO Hub. GSISSH requires a grid-mapfile on the campus login server that maps XSEDE certificate identities to local campus accounts.|
|Globus Toolkit GSISSH Setup on SSO Hub||yes||The SSO Hub automatically creates accounts for XSEDE users on active allocations. When users log in to the SSO Hub, it loads a certificate into the user session, so they can use GSISSH to log in to XSEDE SPs and campus login servers.|
|AMIE||no||The Accounting and Account Management (AMIE) system provides mappings between the user's campus identity and XSEDE identity, enabling remote login via GSISSH to the campus login server from the XSEDE SSO Hub. The campus IT administrator will need to install AMIE software on the campus login server(s) to handle AMIE packets and then the campus IT administrator will need to process the packets to create the needed account mappings (i.e., populate the local grid-mapfile used by GSISSH to map XSEDE certificate identities to local campus accounts).|
|XSEDE CA Certificate Installer||no||The campus IT administrator will need to install the bundle of XSEDE trusted CAs to enable GSISSH access.|
|Information Publishing Framework (IPF)||no||The campus IT administrator will register the campus login server(s) as supporting the login.remoteshell.gsi via the Resource Information Publishing Framework (IPF) so these login resources can be automatically supported by the SSO Hub.|
|XSEDE MyProxy||no||MyProxy issues certificates to XSEDE users on active allocations to enable single sign-on (SSO). To enable SSO access by campus researchers, the campus IT administrator must add those researchers to an L3 Resource Login Allocation, so they can obtain certificates from MyProxy.|
|Resource Description Repository (RDR)||no||The campus HPC/HTC/storage/Viz resource must be registered as a resource in the Resource Description Repository (RDR) to enable AMIE processing.|
|XSEDE Central Database (XCDB)||no||The campus IT administrator 1) registers his/her campus login service(s) in the XSEDE Central Database (XCDB) as a resource eligible for L3 Resource Login Allocations, 2) establishes an allocation associated with that resource in the XCDB, and 3) adds researchers to that allocation. XCDB generates AMIE packets linking the researchers' campus and XSEDE identities.|
|XSEDE User Portal (XUP)||yes||The XSEDE User Portal (XUP) provides the interfaces for managing accounts and allocations.|