REVIEW-81: XCI-339 Replace weblogin.xsede.org with CILogon and idp.xsede.org - Design/Security Review

The Globus Auth service, which provides XSEDE's Web SSO mechanism, relies on an XSEDE OIDC Provider (OP) to authenticate XSEDE users using their XSEDE username and password. The currently configured XSEDE OP in Globus is weblogin.xsede.org, which is operated by the University of Chicago's Globus team.

NCSA has recently begun operating an InCommon (SAML-based) IdP for XSEDE, named idp.xsede.org. Although this InCommon IdP doesn't support OIDC, the CILogon service (also operated by NCSA for XSEDE) provides translation between SAML and OIDC for InCommon IdPs.

Review of the design options and security considerations for replacing weblogin.xsede.org with CILogon translating idp.xsede.org into OIDC. Since idp.xsede.org, unlike weblogin.xsede.org, requires multi-factor authentication using Duo, one consequence of this change would be requiring XSEDE users to use Duo for Web SSO.

Most important feedback addressed in the review:

• Corrections to Section E.2.3. Availability or volatility of resources
• Confirm and document DUO license availability
• Communicate more broadly that MFA will now be required for al XSEDE web SSO logins
• Add more migration detailed in coordination with Globus to Section F
• Need more logging and usage tracking details to Section E.2.7
• Clarify how usage tracking is being addressed in Section E.2.13
• Add more performance requirements details to Section E.2.10
• Clarify that XUP and Globus 2-legged OAuth interaction are out of scope

• XCI-339 Desing Document: Replace weblogin.xsede.org with CILogon and idp.xsede.org

• XCI-339 Desing Document: Replace weblogin.xsede.org with CILogon and idp.xsede.org

• Does the new implementation satisfy all XSEDE security service guidelines and standards
• Does the design and transition plan mitigate risks appropriately
• Are the user impacts of the change appropriate
• Are the infrastructure, operations, and licensing costs addressed