XSEDE Uses Globus Auth for Web Single Sign-On
January 28, 2019 | Lee Liming
Used by researchers and students from all fields of science, XSEDE coordinates access to the National Science Foundation’s public supercomputing systems, such as Texas Advanced Computing Center’s Stampede2 and Pittsburgh Supercomputing Center’s Bridges.
For researchers who use both Globus and XSEDE, this provides a couple of conveniences. First, once you link your XSEDE identity in Globus, logging into XSEDE’s web apps is the same as logging in to Globus. Second, if you’re logged into Globus, you can log into XSEDE web apps without having to re-enter your username and password. This provides a streamlined experience for researchers who use both XSEDE and Globus.
There’s a bigger story here, though. By adopting and supporting the use of Globus Auth, XSEDE has made it dramatically easier for new, innovative research services to participate in the NSF/XSEDE system. In order to obtain NSF funding to offer services via XSEDE, research service providers must report usage by individual XSEDE users and their XSEDE projects. Before Web SSO, securely obtaining each user’s XSEDE identity relied on an SSH mechanism (based on X.509 certificates), which limited XSEDE service providers to SSH (command-line or terminal service) interfaces, which are not innovative or user-friendly. The Web SSO service--based on Globus Auth--allows service providers to securely access XSEDE identities in web apps, which in turn allows them to fulfill the required reporting.
The first service to use this method is the Jetstream system, provided by Indiana University and Texas Advanced Computing Center, with partners including the University of Chicago where Globus is based. Jetstream provides self-service cloud computing to researchers via XSEDE. Jetstream offers a user-friendly web interface--much like Amazon’s AWS Dashboard--and the web interface uses XSEDE’s Globus-based Web SSO service to log users in. This is how Jetstream accesses its users’ XSEDE identities so it can link them to XSEDE projects and report their use. Globus Auth made it significantly easier for Jetstream to integrate with XSEDE’s accounting system (and much simpler for users) than it would have been using the older X.509-based mechanism.
Figure 1. Jetstream’s web interface uses Globus Auth to access XSEDE identities.
Any research service provider that offers a web interface for their service can now use this simple method to link users to their XSEDE identities and become eligible (via NSF’s solicitation and award process) to be an XSEDE service provider.
Another example is the Cornell Virtual Workshop service, which offers a set of web-based training courses for XSEDE. Cornell Virtual Workshops are supported by NSF, and it accesses its users’ XSEDE identities when they login to the site via Globus Auth.
Figure 2. Cornell’s XSEDE training site uses Globus Auth to access XSEDE identities.
There are good reasons for other universities and research services to use Globus Auth, as XSEDE has. Globus Auth is an easy way to give your users more sign-in options than your campus login service. (This is especially useful if you serve--or aspire to serve--a broader community than your local campus.) While allowing other sign-in options, you can still require users to link their campus identities so you know who they are, and you can make your campus the first option to make things smoother for local users.
Also, if your campus login service is SAML-based (most are), Globus Auth is an easy way to enable OpenID Connect (OIDC) or OAuth 2.0 applications to use it. (OIDC and OAuth2 are more widely supported than SAML.) Finally, using Globus Auth in your locally-developed apps enables you to build Globus data services directly into the apps, so you can offer file transfer, sharing, search and other capabilities based on your organization's Globus subscription level.
We’re excited that XSEDE has chosen Globus Auth for its web sign-on service. It smooths an everyday user experience, it opens new possibilities for research service providers and their users, and it offers a great example of how to use Globus Auth. This can only improve the overall quality of research applications and services.