REVIEW-81: XCI-339 Replace weblogin.xsede.org with CILogon and idp.xsede.org - Design/Security Review

Overview

The Globus Auth service, which provides XSEDE's Web SSO mechanism, relies on an XSEDE OIDC Provider (OP) to authenticate XSEDE users using their XSEDE username and password. The currently configured XSEDE OP in Globus is weblogin.xsede.org, which is operated by the University of Chicago's Globus team.

NCSA has recently begun operating an InCommon (SAML-based) IdP for XSEDE, named idp.xsede.org. Although this InCommon IdP doesn't support OIDC, the CILogon service (also operated by NCSA for XSEDE) provides translation between SAML and OIDC for InCommon IdPs.

Review of the design options and security considerations for replacing weblogin.xsede.org with CILogon translating idp.xsede.org into OIDC. Since idp.xsede.org, unlike weblogin.xsede.org, requires multi-factor authentication using Duo, one consequence of this change would be requiring XSEDE users to use Duo for Web SSO.

Review Summary

Most important feedback addressed in the review:

  • Corrections to Section E.2.3. Availability or volatility of resources
  • Confirm and document DUO license availability
  • Communicate more broadly that MFA will now be required for al XSEDE web SSO logins
  • Add more migration detailed in coordination with Globus to Section F
  • Need more logging and usage tracking details to Section E.2.7
  • Clarify how usage tracking is being addressed in Section E.2.13
  • Add more performance requirements details to Section E.2.10
  • Clarify that XUP and Globus 2-legged OAuth interaction are out of scope

Review Output Documents (Final)

Review Input Documents

Review Criteria

  • Does the new implementation satisfy all XSEDE security service guidelines and standards
  • Does the design and transition plan mitigate risks appropriately
  • Are the user impacts of the change appropriate
  • Are the infrastructure, operations, and licensing costs addressed

Schedule

Current Date: 2021-09-20
Current Status: Closed (Design and Security Review)
Target Date Actual Date Activity Milestone
  2021-02-05 Review launch date
2021-02-19 2021-03-29 Written feedback due (Reviewers)
2021-02-25 2021-03-29 Written response date (Review Material Developers)
2021-02-26 2021-03-29 Final approval due and completion date (Reviewers)
Review Created: 2021-02-05 4:16 pm
Review Last Updated: 2021-03-30 9:31 am

 

Reviewers

If you are a reviewer, please login to sign or withdraw from this review.

Required

  • Lee Liming
    VIEWED: 2021-03-22 17:06
    SIGNED: 2021-03-22 17:06
  • John-Paul Navarro
    VIEWED: 2021-04-01 12:54
    SIGNED: 2021-03-29 15:07
  • Derek Simmel
    VIEWED: 2021-03-22 20:16
    SIGNED: 2021-03-22 20:16

Optional

  • Maytal Dahan
  • Gary Rogers
    VIEWED: 2021-02-19 17:39
    SIGNED: 2021-02-19 17:39
  • Scott Sakai
    VIEWED: 2021-02-18 19:02
    SIGNED: 2021-02-18 19:02
  • Shava Smallen
    VIEWED: 2021-04-18 18:55
  • Alexander Withers

Review Material Developers

Jim Basney

Review Facilitator

John-Paul Navarro

 

Please post your comments using the "New topic" or "Post reply" buttons in the forum below.