Conveners
XSEDE's Perspective on Token Assurance for Authentication and Authorization
- Lee Liming (XSEDE, University of Chicago, Globus)
- Derek Simmel (XSEDE, Pittsburgh Supercomputing Center)
- Brian Hom (XSEDE, San Diego Supercomputer Center)
- Jim Basney (National Center for Supercomputing Applications)
Description
As XSEDE migrates its services, such as SSH and Globus Connect, from X.509 certificates to OAuth tokens, we must maintain an appropriate level of assurance for access to XSEDE resources. XSEDE has adopted IGTF assurance for X.509 certificates and REFEDS assurance for InCommon/eduGAIN SAML assertions, and the comparability between IGTF and REFEDS assurance levels (IGTF DOGWOOD/ASPEN to REFEDS low and IGTF BIRCH/CEDEAR to REFEDS medium) has enabled consistency across XSEDE authentication and authorization services. As an AEGIS participant, XSEDE is evaluating AARC-G048 ("Guidelines for Secure Operation of Attribute Authorities and other issuers of access-granting statements") as it applies to OAuth token issuers such as CILogon/SciTokens and Globus.
In this panel, XSEDE staff will discuss project needs related to levels of assurance for OAuth tokens, the current state of OAuth implementation efforts (e.g., XSEDE OAuth SSH and Globus Higher Assurance Levels), and a new XSEDE IAM Policy under development. The panelists will also discuss interoperability requirements and solicit community input.
