XSEDE Web Single Sign On Service
XSEDE's Web Single Sign-On (Web SSO) service provides a uniform, consistent, secure way to sign on to web applications using XSEDE user IDs.
XSEDE's Web SSO service is used by applications provided by XSEDE and by XSEDE community members, including the XSEDE User Portal (XUP), the Community Software Repository (CSR), science gateways and other research portals, training websites, and more. Using the XSEDE Web SSO service, any application can use XSEDE user IDs as the basis for its sign-on mechanism.
Applications that offer the "Login to XSEDE" or "Login with XSEDE" buttons (Figure 1.) provide a familiar sign-on experience based on XSEDE's user registration and user profiles. XSEDE services use the "Login to XSEDE" button while other services use the "Login with XSEDE" button. Both provide the same experience.
Figure 1. The "Login to XSEDE" and "Login with XSEDE" buttons
The Web SSO service enables users to link their identities with other organizations to their XSEDE identities (like a credential wallet) and manage which applications are authorized to access their identities. When a user wishes to sign on to an application, the application directs the user's web browser to the Web SSO service, as shown in Figure 2. The Web SSO service, provided by Globus, allows the user to securely authenticate with an organization of the user's choice and then returns the user's XSEDE identity to the calling application.
Figure 2. Signing on to the Community Software Repository application using the XSEDE Web SSO service
After authentication, the application can use the XSEDE identity provided by the Web SSO service to provide a personalized user experience. Meanwhile, the Web SSO service maintains a sign-on session allowing the user to sign on to other Web SSO applications without re-authenticating, until the user explicitly signs off. The user may also interact directly with the Web SSO service to link or unlink identities and to review or revoke the permissions given to specific applications.
Figure 3. A researcher at U. of Washington signs on to an application using XSEDE's Web SSO service.
XSEDE Web SSO provides the following benefits and features:
|Benefits for Application Developers||Features for Application Users|
| || |
User and Developer Documentation
XSEDE's application developer documentation for the Web SSO service [PDF] covers the following topics:
- A description of the service (key features, behaviors)
- How to use the "Login with XSEDE" interface element
- Choosing and configuring an OIDC plugin, adapter, module, or SDK
- How to register an application
- How to use XSEDE identity data
- How to notify XSEDE support staff about new applications
- How to get technical support for the Web SSO service
- API reference, Python SDK, and developer tutorial materials
XSEDE's Web SSO service is based on Globus Auth. The following Globus documents provide further details about the Globus Auth service.
- Globus Auth API documents (index page)
- Globus Auth API Reference
- Globus Auth Specification
- Globus Auth Developer Guide
The Web SSO service provides a standard OpenID Connect (OIDC) interface. This means that current open source and commercial OIDC clients, plug-ins, modules, and software development kits (SDKs) will work with the Web SSO service with appropriate settings. XSEDE cannot verify the quality or usability of software from other providers. XSEDE's documentation for application developers (see above) provides guidance on choosing an OIDC plugin, adapter, module, or SDK for your application.
XSEDE provides the XSEDE Globus ID Explorer application, which allows application developers and application users to view and manage their identity data and application permissions in the Web SSO service. Application developers can see the JSON data structures returned by specific interfaces. The source code for this application provides good example code.
Globus provides the following software for use with Globus Auth. Support for all of these is available via the XSEDE Help Desk (firstname.lastname@example.org) and is provided by Globus team members who participate in the Help Desk.
- A Python SDK for Globus Auth that serves as an excellent starting point for application developers using Python.
- A collection of Jupyter notebooks–used frequently in tutorials–that demonstrate use of Globus Auth.
- A Python command-line interface (CLI) that includes basic Globus Auth features.
In addition to the documentation and developer tools mentioned above, the following additional resources and services are available to support the Web SSO service.
- XSEDE Help Desk (email@example.com) - Application developers and users who need help with the Web SSO service can send email to firstname.lastname@example.org. Help Desk personnel will assign Web SSO tickets to Globus personnel who participate in the Help Desk.
- Integration tracking - XSEDE's Cyberinfrastructure Integration team (XCI) assist the Help Desk by keeping tabs on how individual applications use the Web SSO service.
- XSEDE Globus ID Explorer - This web application allows XSEDE users to view and manage their identity data and application permissions in the Web SSO service.
- Preview environment - Application developers can register and test their applications with the next version of the Web SSO service.
- Developer email list - Significant changes to the Web SSO service are announced ahead of time on this list. The list may also be used for Q&A with the Globus team.
- Continuity service for application registrations - Applications that use the Web SSO service must be registered. The XCI team can help recover an application's registration if/when the original developer changes jobs without assigning a new manager.