Skip to content Skip to navigation

JIRA Issue

[#XCI-29] Expand Two Factor Authentication for XSEDE Users to Globus Auth, XUP, OAuth, MyProxy

[XCI-29] Expand Two Factor Authentication for XSEDE Users to Globus Auth, XUP, OAuth, MyProxy Created: 11/10/2016  Updated: 08/22/2018

Status: Proposed
Project: XSEDE Cyberinfrastructure Integration
Component/s: None
Fix Version/s: PY8 (Sep '18 - Aug '19)

Type: XCI New Capability Priority: Major
Reporter: Jim Basney Assignee: Jim Basney
Resolution: Unresolved Votes: 0

Issue Links:
Relates
relates to XCI-125 CDP for CAN-6: Implement Web Single S... Closed
relates to XCI-126 Support InCommon authentication on th... Closed
XSEDE Priority: -
XSEDE Areas:
RACD Security
Use Case Priority: High
Public activity link: https://software.xsede.org/display/xci-29
Devel Repository: https://software.xsede.org/svn/xci/activities/xci-029/trunk/
Use Cases:
CAN-04: Interactive Login
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
<Activity Lead Name – Last, First> 6 six weeks of effort to lead and implement the activity (required) none
<User Doc Drafter – Last, First> 0.2 one day of effort to draft user documentation (required ) none
TBD (tester) 1 one week of effort to test the software none
... ... .. none
Deliverables:
Target
Date
Actual
Date
Activity Deliverable Detail Status
((yyyy-mm-dd)) ((yyyy-mm-dd)) ((Deliverable name and/or ID)) ((deliverable detail)) none
**Example:**        
2029-12-31 2029-12-31 Software Documentation (or D-SD) Design documentation for Component XXX none
2029-12-31 2029-12-31 Implemented Software Capability (or D-SW) Package XXX none
2029-12-31 2029-12-31 Software Documentation (or D-SD) Deployment documentation for Component XXX none
2029-12-31 2029-12-31 Software Documentation (or D-SD) Test plan for Component XXX none
2029-12-31 2029-12-31 End-User Documentation (or D-UD) User documentation for Component XXX none
2029-12-31 2029-12-31 Engineering Data (or D-ED) TRR Baseline (Shava) none
2029-12-31 2029-12-31 Engineering Data (or D-ED) Deployment Baseline (Shava) none
2029-12-31 2029-12-31 Engineering Data (or D-ED) Test Report (Shava) none
Lead Tester: Shava Smallen

 Description   

This issue revives SDIACT-181 as a follow-on to SDIACT-180.

Implement a Phase II deployment of two factor authentication (TFA) that can be made available as an optional authentication method that can be used by all XSEDE users. Document lessons learned from Phase I deployment (SDIACT-180), which uses MyProxy as the first authentication factor and Duo Security as the second authentication factor. Enable integration with the XSEDE User Portal (via Globus Auth?) according to Use Case IDM-3. Allow access to two-factor-only resources (e.g., TACC) from the SSO Hub (e.g., by integrating with a MyProxy CA that can issue certificates that indicate the use of TFA). Explore support for other TFA use cases (e.g., for science gateways as requested in XSEDE Ticket #37592).

References:

  • Use Case IDM-3: User changes his/her XSEDE user profile - "If the user has two-factor authentication enabled, Step 3 will require the user to authenticate via a second factor before proceeding."
  • Ticket #37592: XSEDE TFA for science gateway


 Comments   

There are comments for XCI-29 that can be viewed with XSEDE authentication.