XSEDE Capability Delivery Plan for "IDM-12: Single sign-on for XSEDE OpenStack resources"

Use Case IDM-12: Single sign-on across community OpenStack resources

Area: Account Management
URLs: Public, Review

Executive Summary: A researcher or educator (hereafter referred to as “the user”) wants to be able to authenticate once using his/her community identity and subsequently have authenticated access to all of the available OpenStack resources in the community. (These services might include things such as a central object library (e.g. images, date, etc.), objects stored by that user on other service provider's resources, or cloud computing features such as elastic scheduling of instances.)

First CDP: 2018-09-05
Current CDP: 2018-09-05
Current Implementation Status: 
Issues Remaining: 
Time & Effort Summary: 

This use case is highly speculative. At the time this is being written, there is only one XSEDE resource that provides access to the OpenStack APIs to its users, so there is no other system with which "single sign-on" could work.  Further, even when additional resources become available, it is unlikely that users will be given allocations that span multiple resources.

No effort or changes are proposed at this time.

Significant Revisions:
  • 2018-09-05 14:28 (current revision)
This capability is currently supported by the following 2 components:
Component User facing? Component’s role in the capability
Globus Auth yes Globus Auth is XSEDE's Web Single Sign-On (Web SSO) service. Beyond supporting user authentication for Web browser-based "Web apps," Globus Auth also provided OAuth2-based authentication for use by REST APIs. OpenStack APIs can use OAuth2 access tokens for authentication. Thus, Globus Auth can be used to protect access to OpenStack APIs, including user authentication.
Service Provider IaaS (Cloud) Services yes The OpenStack API-accessible cloud resources provided by XSEDE Service Provider (SPs) are the core of this use case's implementation. It is these resources that will be used once authentication is accomplished via Single Sign-On. The authentication service must provide access tokens that allow authentication to the OpenStack APIs for each resource.