JIRA Issue

[#XCI-339] Replace weblogin.xsede.org with CILogon and idp.xsede.org

[XCI-339] Replace weblogin.xsede.org with CILogon and idp.xsede.org Created: 02/26/2018  Updated: 09/17/2020

Status: Design
Project: XSEDE Cyberinfrastructure Integration
Component/s: CILogon, Globus Auth, XSEDE InCommon Identity Provider (IdP), XSEDE User Portal (XUP)
Fix Version/s: PY9 (Sep '19 - Aug '20)

Type: XCI Enhanced Capability Priority: Normal
Reporter: Lee Liming Assignee: Jim Basney
Resolution: Unresolved Votes: 0

Attachments: PDF File XSEDE_Globus_Authentication.pdf    
Issue Links:
PCR Replacement
Replaces XCI-481 Refresh skin for weblogin.xsede.org Cancelled
relates to XCI-30 Provide InCommon Identity Provider fo... Closed
relates to XCI-478 Web SSO service integration Development
relates to XCI-317 XSEDE Web SSO Design Closed
relates to XCI-714 Update XSEDE MFA documentation Proposed
Target Operator:
XSEDE Enterprise Services
XSEDE Priority: -
XSEDE Areas:
RACD Security
Public activity link: https://software.xsede.org/display/xci-339
Devel Repository:
Use Cases:
CAN-06: Authenticate with an application
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
Basney, Jim 2 two weeks of effort to lead and implement the activity (required) none
Liming, Lee 0.4 two days of effort to assist with use case analysis and Globus Auth coordination none
Sakai, Scott 0.1 Design/Security Reviewer none
TBD (tester) 1 one week of effort to test the software none
Due by Activity Deliverable
DSR Design document*
TRR Implemented Software Capability
TRR Other type of deliverable
TRR Deployment plan*
TRR Test plan*
TRR User documentation*
TRR (post) TRR Baseline* (Shava)
Deployment Deployment Baseline* (Shava)
Deployment Test Report* (Shava)
  • Click on "Deliverables" tab for URL.
Planned Launch Date:
Actual Launch Date:
Planned Design Review Date:
Planned Test Readiness Review Date:
Planned Complete Date:
Activity Lead: Jim Basney
Lead Tester: Shava Smallen


The Globus Auth service, which provides XSEDE's Web SSO mechanism, relies on an XSEDE OIDC identity provider (IDP) to authenticate XSEDE users using their XSEDE username and password. The currently configured XSEDE IDP in Globus is weblogin.xsede.org, which is operated by the University of Chicago's Globus team.

NCSA has recently begun operating an InCommon (SAML-based) IDP for XSEDE, named idp.xsede.org. Although this InCommon IDP doesn't support OIDC, the CILogon service (also operated by NCSA) provides translation between SAML and OIDC for >400 academic institutions, and could easily do the same for XSEDE.

We need to explore our options regarding replacing weblogin.xsede.org with CILogon translating idp.xsede.org into OIDC.


There are comments for XCI-339 that can be viewed with XSEDE authentication.