XSEDE Capability Delivery Plan for "IDM-07: Login to a locally installed application with XSEDE username/password"
URLs: Public, Review
Executive Summary: An XSEDE user needs to login to a locally installed application (a command line program, graphical desktop application, or mobile application) using his/her XSEDE username and password, such that the application can securely interact with XSEDE services on behalf of the user.
Current CDP: 2018-08-25
- XCI-443: XSEDE does not allow applications to see or use XSEDE user passwords
- XCI-444: XSEDE's Web SSO for locally install applications does not require users to authenticate with XSEDE
No effort or changes are proposed at this time. A solution for XCI-444 may be available in the near future, but we do not recommend attempting to integrate it now as there are no known applications that require this feature.
|Component||User facing?||Component’s role in the capability|
|Globus Auth||yes||Globus Auth is XSEDE's Web Single-sign-on (Web SSO) service. It provides an OpenID Connect (OIDC) interface that allows users to authenticate using OIDC identity providers, significantly including XSEDE's identity provider (XSEDE usersnames/passwords) and CILogon, which maps credentials from thousands of InCommon and EduGAIN academic institutions. Locally installed applications can also use Globus Auth to authenticate users. Application developers can use Globus Auth's "native application" client feature. The application will receive the user's OIDC token with identity information supplied by the user's identity provider. Applications can also require that users must register with XSEDE, in which case the application will receive the user's XSEDE username and user profile data in the OIDC token.|