[XCI-30] Provide InCommon Identity Provider for XSEDE Identities Created: 11/10/2016 Updated: 07/24/2018
|Project:||XSEDE Cyberinfrastructure Integration|
|Component/s:||XSEDE InCommon Identity Provider (IdP)|
|Fix Version/s:||PY6 Increment A (Sep - Dec '16)|
|Type:||XCI Enhanced Capability||Priority:||Major|
|Reporter:||Jim Basney||Assignee:||Shava Smallen|
XSEDE Enterprise Services
|Use Case Priority:||High|
|Public activity link:||https://software.xsede.org/display/xci-30|
IDM-11: Use a community identity for InCommon authentication
|Effort and Costs:||
|Planned Launch Date:|
|Actual Launch Date:|
|Planned Design Review Date:|
|Actual Design Review Date:|
|Planned Test Readiness Review Date:|
|Actual Test Readiness Review Date:|
|Planned Complete Date:|
|Actual Complete Date:|
|Operation Deployment Start Date:|
Create an InCommon identity provider (IdP) for XSEDE users. NCSA already operates its own InCommon IdP, and supporting an XSEDE IdP on the same NCSA infrastructure would be a low cost way to provide this service to the XSEDE user community.
Today a significant proportion of US researchers are unable to access services using a federated identity because their home institution does not operate a suitable InCommon identity provider (IdP). XSEDE users currently reside at over 500 US higher education institutions, while fewer than 130 institutions operate "research and scholarship” compatible InCommon IdPs (https://spaces.internet2.edu/x/-IKVAQ). As a result, XSEDE users have difficulty accessing federated services (e.g., GENI, LIGO, and other international science projects).
To address this need, XSEDE should operate an InCommon IdP for XSEDE users, allowing them to authenticate with their XSEDE Kerberos/Duo credentials for access to services federated by InCommon. Partner projects including GENI and LIGO have approached us about relying on an XSEDE IdP to authenticate their users who don't have a home IdP. An XSEDE IdP is a natural option because many of these users already have XSEDE accounts and XSEDE makes it easy for users to sign up for an account. This would save those other NSF projects the cost of operating their own catch-all IdP, since they could rely on XSEDE's existing identity management capabilities. Also, XSEDE's InCommon IdP would provide a SAML Single Sign-On option for XSEDE services, to complement the OpenID Connect support provided by Globus, giving another standard method for integrating with XSEDE identity management. This IdP would also enable XSEDE users to log in to CILogon with their XSEDE identities.
There are comments for XCI-30 that can be viewed with XSEDE authentication.