XSEDE Web Single Sign On Service

XSEDE's Web Single Sign-On (Web SSO) service provides a uniform, consistent, secure way to sign on to web applications using XSEDE user IDs.

XSEDE's Web SSO service is used by applications provided by XSEDE and by XSEDE community members, including the XSEDE User Portal (XUP), the Community Software Repository (CSR), science gateways and other research portals, training websites, and more. Using the XSEDE Web SSO service, any application can use XSEDE user IDs as the basis for its sign-on mechanism.

Applications that offer the "Login to XSEDE" or "Login with XSEDE" buttons (Figure 1.) provide a familiar sign-on experience based on XSEDE's user registration and user profiles. XSEDE services use the "Login to XSEDE" button while other services use the "Login with XSEDE" button. Both provide the same experience.

Figure 1. The "Login to XSEDE" and "Login with XSEDE" buttons

The Web SSO service enables users to link their identities with other organizations to their XSEDE identities (like a credential wallet) and manage which applications are authorized to access their identities. When a user wishes to sign on to an application, the application directs the user's web browser to the Web SSO service, as shown in Figure 2. The Web SSO service, provided by Globus, allows the user to securely authenticate with an organization of the user's choice and then returns the user's XSEDE identity to the calling application.

Sign on to the CSR
Figure 2. Signing on to the Community Software Repository application using the XSEDE Web SSO service

After authentication, the application can use the XSEDE identity provided by the Web SSO service to provide a personalized user experience. Meanwhile, the Web SSO service maintains a sign-on session allowing the user to sign on to other Web SSO applications without re-authenticating, until the user explicitly signs off. The user may also interact directly with the Web SSO service to link or unlink identities and to review or revoke the permissions given to specific applications.

An XSEDE user signing on to an application via Web SSO
Figure 3. A researcher at U. of Washington signs on to an application using XSEDE's Web SSO service.

XSEDE Web SSO provides the following benefits and features:

Benefits for Application Developers	Features for Application Users
It's a standard OpenID Connect (OIDC) service, so applications can use the same code used with Google, ORCID, or other OIDC services. There are many free and commercially supported OIDC plugins, SDKs, and modules for nearly every development environment. Applications always receive an XSEDE username, so the application knows that the user has registered with XSEDE and can find out more about the user through the XSEDE system. The application may request access to the user's identities from other organizations, allowing it to consider all of a user's linked identities in access control decisions. In addition to the user's XSEDE identity, applications may also request permission to access other XSEDE services (e.g., file transfer services) on the user's behalf, enabling automation features.	The "Login with XSEDE" button provides a consistent and familiar sign-on experience across applications. Users can sign on to applications using their choice of: XSEDE, an academic institution belonging to the InCommon or eduGAIN federations, ORCID, Google (provider of G Suite, used by many academic institutions), or other national/international research facilities. If a user has recently signed on to a Web SSO-enabled application and hasn't signed off, the user can sign on to other Web SSO applications without re-authenticating. Each user has control over which applications may or may not receive the user's identity data and can revoke permissions at any time. Users' private credentials (passwords, one-time tokens, etc.) are never exposed to the Web SSO service or to applications that use the Web SSO service. Users can link their own identities from multiple institutions, enabling applications to consider all of a user's linked identities in access control decisions. Users can give specific applications permission to interact with specific XSEDE services on their behalf, simplifying their use of XSEDE.

Benefits for Application Developers

Features for Application Users

It's a standard OpenID Connect (OIDC) service, so applications can use the same code used with Google, ORCID, or other OIDC services. There are many free and commercially supported OIDC plugins, SDKs, and modules for nearly every development environment.
Applications always receive an XSEDE username, so the application knows that the user has registered with XSEDE and can find out more about the user through the XSEDE system.
The application may request access to the user's identities from other organizations, allowing it to consider all of a user's linked identities in access control decisions.
In addition to the user's XSEDE identity, applications may also request permission to access other XSEDE services (e.g., file transfer services) on the user's behalf, enabling automation features.

The "Login with XSEDE" button provides a consistent and familiar sign-on experience across applications.
Users can sign on to applications using their choice of: XSEDE, an academic institution belonging to the InCommon or eduGAIN federations, ORCID, Google (provider of G Suite, used by many academic institutions), or other national/international research facilities.
If a user has recently signed on to a Web SSO-enabled application and hasn't signed off, the user can sign on to other Web SSO applications without re-authenticating.
Each user has control over which applications may or may not receive the user's identity data and can revoke permissions at any time.
Users' private credentials (passwords, one-time tokens, etc.) are never exposed to the Web SSO service or to applications that use the Web SSO service.
Users can link their own identities from multiple institutions, enabling applications to consider all of a user's linked identities in access control decisions.
Users can give specific applications permission to interact with specific XSEDE services on their behalf, simplifying their use of XSEDE.

User and Developer Documentation

XSEDE's application developer documentation for the Web SSO service [PDF] covers the following topics:

A description of the service (key features, behaviors)
How to use the "Login with XSEDE" interface element
Choosing and configuring an OIDC plugin, adapter, module, or SDK
How to register an application
How to use XSEDE identity data
How to notify XSEDE support staff about new applications
How to get technical support for the Web SSO service
API reference, Python SDK, and developer tutorial materials

XSEDE's Web SSO service is based on Globus Auth. The following Globus documents provide further details about the Globus Auth service.

Developer Tools

The Web SSO service provides a standard OpenID Connect (OIDC) interface. This means that current open source and commercial OIDC clients, plug-ins, modules, and software development kits (SDKs) will work with the Web SSO service with appropriate settings. XSEDE cannot verify the quality or usability of software from other providers. XSEDE's documentation for application developers (see above) provides guidance on choosing an OIDC plugin, adapter, module, or SDK for your application.

XSEDE provides the XSEDE Globus ID Explorer application, which allows application developers and application users to view and manage their identity data and application permissions in the Web SSO service. Application developers can see the JSON data structures returned by specific interfaces. The source code for this application provides good example code.

Globus provides the following software for use with Globus Auth. Support for all of these is available via the XSEDE Help Desk (support@xsede.org) and is provided by Globus team members who participate in the Help Desk.

A Python SDK for Globus Auth that serves as an excellent starting point for application developers using Python.
A collection of Jupyter notebooks–used frequently in tutorials–that demonstrate use of Globus Auth.
A Python command-line interface (CLI) that includes basic Globus Auth features.

Support Resources

In addition to the documentation and developer tools mentioned above, the following additional resources and services are available to support the Web SSO service.

XSEDE Help Desk (support@xsede.org) - Application developers and users who need help with the Web SSO service can send email to support@xsede.org. Help Desk personnel will assign Web SSO tickets to Globus personnel who participate in the Help Desk.
Integration tracking - XSEDE's Cyberinfrastructure Integration team (XCI) assist the Help Desk by keeping tabs on how individual applications use the Web SSO service.
XSEDE Globus ID Explorer - This web application allows XSEDE users to view and manage their identity data and application permissions in the Web SSO service.
Preview environment - Application developers can register and test their applications with the next version of the Web SSO service.
Developer email list - Significant changes to the Web SSO service are announced ahead of time on this list. The list may also be used for Q&A with the Globus team.
Continuity service for application registrations - Applications that use the Web SSO service must be registered. The XCI team can help recover an application's registration if/when the original developer changes jobs without assigning a new manager.

Key Points

Sign on to web applications with your XSEDE user ID

Link other organization identities to your XSEDE identity

Manage which applications are authorized to access your identity

Sign on to other Web SSO applications without re-authenticating

Related Links

XSEDE User Portal

Globus API documentation

Web SSO application developer docs

Contact Information

XSEDE Help Desk

12/11/18