April 15, 2017
“Login with XSEDE”
Globus Auth on Jetstream and XSEDE
XSEDE and Jetstream
• XSEDEisNSF’sfrontdoor/lobbyforits
nationalcomputingservices(HPC,
cloud,data)
– Usersign-up/registration
– Allocationrequests
– Systeminformationandusersupport
• JetstreamisoneofNSF’s
Infrastructure-as-a-Serviceproviders,
andthefirsttohaveabrowser-based
userinterface
– UseisallocatedviaXSEDE
– Self-serviceVMsandstoragevolumes
– Sizedforscientificapplications
2
XSEDE is an identity provider (IDP)
• XSEDEhasauserdatabasethat’sbeenaround
formorethanadecadeandhas>30,000
registeredusers
– SQLuserdatabase+Kerberosauthrealm
– Highvisibility->rigoroussecurity
• FirststepwastoaddanXSEDEOIDCservice
– ProvidesOAuth2/OpenIDConnectinterface
betweenXSEDEandGlobus
– IntendedsolelyforusebyGlobus
3
XSEDE and Jetstream are both resource
providers
• Morethanadozenuniquesystems(forusers
orforstaff)thatrequireauthentication
Examples:Userportal,communitysoftwarerepository,
singlesign-onhub,Confluence,JIRA,Qualtrics,financial
portal,etc.
• Morethanadozenfederatedservices
(managedbyothers)thatarerequiredto
recognizeXSEDEidentities
Examples:Jetstream,Stampede,Bridges,Comet,Wrangler,
XStream,SuperMIC,etc.
4
Globus-enabled logins
• XSEDE’spublicsites
– XSEDEuserportal(www.xsede.org)
– Jetstreamcloudservices(use.jetstreamcloud.org)
– CommunitySoftwareRepository(CSR)
– Trainingsites
• XSEDE’sstaffservices
– Staffwiki
– Staffactivitytracking&planning
5
OAuth & OIDC plugins and modules are
plentiful!
Service
How doesitaccessGlobusAuth?
XSEDEuserportal
Java portletforLiferay Portal,basedon
NimbusJOSE+JWTfortokens
Jetstream
Pythonoauth2clientmodulewithcustomizations
forDjangoandCyVerse (~200linesofcode)
JIRA&Confluence
OpenIDAuthenticationforJIRAv.3.0.5;
OpenIDAuthenticationforConfluencev.3.0.5
(byPawelNiewiadomski)
Communitysoftwarerepository
OAuth2- OpenIDConnectpluginforDrupal
(openid_connect)7.x-1.0-beta6
Training site
OpenIDConnectpluginforMoodle
6
Globus Auth client configuration
• MostXSEDEclientsrequireanXSEDEidentity
– Peoplecanuseanyidentitytologin,buttosucceed,an
XSEDEidentitymustbelinked
– Ifthereisn’talinkedXSEDEidentity,Globuspromptsto
linkorcreateanXSEDEidentity
– IftheXSEDEidentityhasn’tbeenseenbeforebyGlobus,
Globusautomaticallycreatesanidentity
• XSEDEclientsseetheXSEDEidentityasprimary
– [email protected]
identityasprimary
– Keepsthingssimpleforclient-sideaccounting
Jetstream and Globus Auth
GlobusAuthmadeitreally
easytoenableXSEDEloginsto
Jetstream’swebUI.(*)
– Muchsimplerthan
XSEDE’soldermethods
– PythonOauth2client
moduleavailable
– Campus,Google,ORCID
loginscameforfree!
*StillneedtomaptoaJetstream/XSEDE“allocation”(project)
8
XSEDE and Globus Auth – more, more, more!
• We’reworkingondocumentationandsupport
forsciencegateways
– Allowgatewaystooffer“LoginwithXSEDE”
• We’rereachingouttootherpublicXSEDE
services
– XDMetricsonDemand(XDMoD)
– Twootherusertrainingservices
• We’llupdatemorestaffservicesasneeded