JIRA Issue

[#XCI-30] Provide InCommon Identity Provider for XSEDE Identities

[XCI-30] Provide InCommon Identity Provider for XSEDE Identities Created: 11/10/2016  Updated: 07/24/2018

Status: Closed
Project: XSEDE Cyberinfrastructure Integration
Component/s: XSEDE InCommon Identity Provider (IdP)
Fix Version/s: PY6 Increment A (Sep - Dec '16)

Type: XCI Enhanced Capability Priority: Major
Reporter: Jim Basney Assignee: Shava Smallen
Resolution: Unresolved Votes: 0

Issue Links:
relates to XCI-41 CDP for IDM-11: Use an XSEDE identity... Closed
relates to XCI-420 Revised CDP for IDM-11: Use an XSEDE ... Closed
relates to XCI-339 Replace weblogin.xsede.org with CILog... Design
has review REVIEW-40 XCI-30 Provide InCommon Identity Prov... Closed
has review REVIEW-42 XCI-30 Provide InCommon Identity Prov... Closed
Target Operator:
XSEDE Enterprise Services
XSEDE Priority: -
Use Case Priority: High
Discussion Thread: https://www.xsede.org/web/staff/staff-message-board/-/message_boards/category/1431370
Public activity link: https://software.xsede.org/display/xci-30
Devel Repository: https://software.xsede.org/svn/xci/activities/xci-030/trunk/
Use Cases:
IDM-11: Use a community identity for InCommon authentication
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
Basney, Jim 2 two weeks of effort to lead and implement the activity (required) complete
Fleury, Terry 2 two weeks of effort to finalize implementation and assist with deployment plans complete
TBD 0.2 one day of effort to draft user documentation (required ) complete
TBD (tester) 1 one week of effort to test the software complete
Activity Deliverable Detail Status
2017-02-01   Software Documentation (or D-SD) Design documentation for XSEDE InCommon IdP done
2017-03-01   Implemented Software Capability (or D-SW) XSEDE IdP deployed and ready for testing complete
2017-03-16   Software Documentation (or D-SD) Deployment documentation for XSEDE InCommon IdP done
2017-03-16   Software Documentation (or D-SD) Test plan for XSEDE InCommon IdP done
2017-04-01   End-User Documentation (or D-UD) User documentation for XSEDE InCommon IdP done
2017-04-01   Engineering Data (or D-ED) TRR Baseline (Shava) done
2017-05-01   Engineering Data (or D-ED) Deployment Baseline (Shava) done
2017-05-01   Engineering Data (or D-ED) Test Report (Shava) none
Planned Launch Date:
Actual Launch Date:
Planned Design Review Date:
Actual Design Review Date:
Planned Test Readiness Review Date:
Actual Test Readiness Review Date:
Planned Complete Date:
Actual Complete Date:
Operation Deployment Start Date:
Activity Lead: Jim Basney
Lead Tester: Shava Smallen
Peter Enstrom, Shava Smallen
Design Document: https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Design.pdf
Test Plan: https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-TestPlan.pdf
User documentation: https://www.xsede.org/security/incommon
Deployment Plan: https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Deployment.pdf
TRR Baseline: https://software.xsede.org/svn/xci/activities/xci-030/tags/TRR
Test Report: https://docs.google.com/document/d/12VZmM1Uq193AqmXR35x1-mDqivsqasHN9OR53HN8Rn8/edit?usp=sharing


Create an InCommon identity provider (IdP) for XSEDE users. NCSA already operates its own InCommon IdP, and supporting an XSEDE IdP on the same NCSA infrastructure would be a low cost way to provide this service to the XSEDE user community.

Today a significant proportion of US researchers are unable to access services using a federated identity because their home institution does not operate a suitable InCommon identity provider (IdP). XSEDE users currently reside at over 500 US higher education institutions, while fewer than 130 institutions operate "research and scholarship” compatible InCommon IdPs (https://spaces.internet2.edu/x/-IKVAQ). As a result, XSEDE users have difficulty accessing federated services (e.g., GENI, LIGO, and other international science projects).

To address this need, XSEDE should operate an InCommon IdP for XSEDE users, allowing them to authenticate with their XSEDE Kerberos/Duo credentials for access to services federated by InCommon. Partner projects including GENI and LIGO have approached us about relying on an XSEDE IdP to authenticate their users who don't have a home IdP. An XSEDE IdP is a natural option because many of these users already have XSEDE accounts and XSEDE makes it easy for users to sign up for an account. This would save those other NSF projects the cost of operating their own catch-all IdP, since they could rely on XSEDE's existing identity management capabilities. Also, XSEDE's InCommon IdP would provide a SAML Single Sign-On option for XSEDE services, to complement the OpenID Connect support provided by Globus, giving another standard method for integrating with XSEDE identity management. This IdP would also enable XSEDE users to log in to CILogon with their XSEDE identities.



There are comments for XCI-30 that can be viewed with XSEDE authentication.