Skip to content Skip to navigation

JIRA Issue

[#XCI-496] SSH with Globus Auth (OpenID Connect authentication)

[XCI-496] SSH with Globus Auth (OpenID Connect authentication) Created: 10/29/2018  Updated: 10/29/2018

Status: Proposed
Project: XSEDE Cyberinfrastructure Integration
Component/s: None
Fix Version/s: PY8 (Sep '18 - Aug '19)

Type: XCI New Capability Priority: Major
Reporter: Lee Liming Assignee: Lee Liming
Resolution: Unresolved Votes: 0

Issue Links:
SD&I Deliverable
has deliverable XCI-497 SSH with Globus Auth Deployment plan ... Proposed
has deliverable XCI-498 SSH with Globus Auth Deployment plan ... Proposed
has deliverable XCI-499 SSH with Globus Auth User Documentati... Proposed
has deliverable XCI-196 Deliver XSEDE user to OAuth identity ... Design Review
XSEDE Priority: -
Public activity link:
Devel Repository:
Use Cases:
CAN-01: Run a Remote Job, CAN-04: Interactive Login, CAN-06: Authenticate to one or more SP resources, SP services, and XSEDE central services, CB-08: Use XSEDE SSO with campus login servers, IDM-14: SSH access using XSEDE identities for education
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
Liming, Lee 1 one week of effort to lead and implement the activity (required) none
Liming, Lee 2.8 three weeks of effort to draft the design document none
Navarro, JP 0.4 two days to initiate a design & security review none
DSR reviewers 2 Estimated: 10 reviewers, each spending one full day to review the design & security review materials, ask questions, discuss, ultimately vote up or down none
Liming, Lee 0.6 three days to respond to DSR questions & issues none

NOTE: Effort for TRR deliverables will be tracked separately in sub-task activities.

Due by Activity Deliverable
DSR Design document*
TRR GA release of SSH with Globus Auth (from Globus)
TRR Mapfile generator tool (from XSEDE)**
TRR Deployment plan for SP admins**
TRR Deployment plan for XSEDE SSO Hub**
TRR Test plan*
TRR User documentation for XUP/XSEDE website**
TRR (post) TRR Baseline* (Shava)
Deployment Deployment Baseline* (Shava)
Deployment Test Report* (Shava)

( * ) Click on "Deliverables" tab for URL.

( ** ) See linked issues for details & deliverables.

Lead Tester: Shava Smallen


This activity will prepare and test SSH with Globus Auth for use by XSEDE SPs and the XSEDE SSO Hub, based on the General Availability (GA) release of SSH with Globus Auth. SSH with Globus Auth is SSH based on OpenID Connect authentication: the same authentication mechanism used for XSEDE's Web SSO service.

When Globus announced its end-of-support for the Globus Toolkit, that included GSI-OpenSSH, which is SSH based on X.509 authentication. Most XSEDE SPs and the XSEDE SSO Hub use GSI-OpenSSH for their SSH (remote login) services.  While support for GSI-OpenSSH may continue via open source community contributions, we are exploring other options for the future of XSEDE's SSH services.