Does Globus need credentials when accessing my system? Does it store these permanently?
Globus uses only temporary credentials to act on your behalf when making a transfer request, and never keeps your password nor long-term credentials to access a site.
How does Globus ensure my data is secure?
Globus uses a "data channel" for moving data between two endpoints. This data channel is established directly between the source and destination endpoints and cannot be accessed by Globus, only by the GridFTP servers running on the endpoints.
By default the data channel is authenticated, but unencrypted. It can be encrypted by selecting the "encrypt transfer" option on the Transfer Files page (see screenshot below), or by including the
—encrypt option for the transfer command when using the command line interface. You should be aware that encryption adds processing overhead, and will likely reduce transfer speed. Encrypted transfers use the SSL cipher configured on the endpoints (the default for OpenSSL is AES256-SHA).
In addition to the data channel, Globus uses a "control channel" to communicate with the source and destination endpoints for a transfer. All control channel communications are encrypted.
How does Globus use my Google account?
You can use your Google identity to log into Globus. Select Google as an option from the organizations listed on the Globus login page, and sign in with your Google account. If you have previously logged into Globus using another identity (e.g. your campus username), Globus will give you the option to link it with your Google identity under a single Globus account. If you choose to link, you can use any of your linked identities to access Globus. You can choose not to link and keep your Google identity as a separate Globus account. You can manage your linked identities on the Globus Account page.
How do I stop Globus from automatically authenticating using my Google account?
Visit this link on Google (you may be prompted to login using your Google account). You will see a list of websites for which you have authorized access to your Google account. Select the Globus entry and click the "Remove" button. Your Google account will no longer be used by Globus. If you try to login to Globus with your Google account, you will be asked to re-confirm that Globus may use your Google account.
Which method should I use to sign in to Globus?
You can use a username and password from any organization that is recognized (and trusted) by the Globus service. Select your preferred organization from the list on the Globus login page, and you will be redirected to your organization’s login page to provide your credentials. If you don’t see your organization listed or would like to create a separate account, you can use Google or Globus ID to sign into Globus.
If you are an existing Globus user and have previously logged in using a Globus username and password, that option is now the Globus ID. We’ve moved Globus username/passwords created prior to February 13, 2016 into an independent service called Globus ID (globusid.org). Your Globus account can include a Globus ID as a linked identity, but this is not required.
What authentication methods does Globus support?
Globus supports multiple authentication methods, including username/password (our default method), MyProxy, MyProxy with OAuth, OpenID (using a Google account) and InCommon. In all instances, you are first required to set up a Globus account (username/password) and then can associate additional identities with your Globus account. You will subsequently be able to sign in to Globus using any of the identities mapped to your account.
Does Globus support one-time passwords (OTP)?
Yes, one-time passwords work with Globus and do not require any specialized configuration. To access a site that requires an OTP, simply enter your password as you would normally when prompted.
For example, when accessing an ALCF endpoint you are prompted to enter a CryptoCard PIN + your password (see screenshot below). In this case you might enter "456324ax34D_fDWR", assuming "456324" is the one-time password generated by your CryptoCard and "ax34D_fDWR" is your password.
How does Globus work with XSEDE security infrastructure?
From the perspective of XSEDE, Globus looks like a science gateway that uses user-specific credentials to access resources on behalf of the user, instead of using community credentials. Globus uses the MyProxy OAuth server provided by XSEDE to get a user’s short term X.509 certificate, without requiring the user’s password to flow through Globus.
When a user chooses to activate an XSEDE endpoint, they are redirected to the XSEDE MyProxy OAuth server, where they are prompted to log in using their XSEDE credential (username/password). Once they have authenticated, they are automatically redirected to the Globus page and the activation is completed. Globus only receives a short-term X.509 certificate from the MyProxy server, and never sees the user’s username and password.
If the user is using the Globus command line interface, the activation of an XSEDE endpoint prints a URL for them to use to complete the activation. Once the user browses to the URL, the flow is similar to the one described when using the Globus website.
How can I delete my Globus account?
Please complete the steps below and then send email to email@example.com requesting that your account be deleted:
Remove yourself from all Globus groups.
Delete your Globus endpoints, including all shared endpoints that you created (note that users to whom you granted access to a shared endpoint will no longer be able to access the files on that endpoint).
Delete your Globus endpoint bookmarks.
Unlink any other accounts:
Go to your Account page
Click on Manage Your Identities
Click X for each identity
Remove your consents:
Go to your Account page
Click on Manage Your Consents
Click X for each consent
How do I generate a VOMS-enabled proxy certificate and upload it to a MyProxy server?
GSISSH-Term is a Java-based client that can be installed and launched with one simple click. Leibniz Supercomputing Centre maintains and develops a customized version of this client that generates a proxy certificate and uploads it to any MyProxy server with no additional setup. European EUGridPMA CA certificates are automatically installed and updated on the client machine.
Virtual Organization Membership Service (VOMS) is a system for managing authorization data within multi-institutional collaborations. VOMS provides a database of user roles and capabilities, and a set of tools for managing the database and generating Grid credentials for users. If you are using VOMS, particularly a EGI VO, this tool is for you—all EGI VOs are automatically configured and updated by this client.
To generate a proxy certificate (either a regular or VOMS-enabled) for use with a MyProxy server, click on the link below. Begin by selecting menu option "Tools" → "MyProxy Tool".
For more information on GSISSH-Term:
Why is endpoint activation with GSI SSH failing?
This error happens when your Globus account is not configured for use with GSI SSH, and only has SSH keys. Please see the FAQ on configuring your account to use GSI SSH.
Is there an independent assessment of Globus security?
Multiple organizations have conducted Globus security reviews. Their findings and our responses are documented here.
What is Globus ID?
Globus ID provides and manages identities (usernames and passwords) for use with the Globus service. It is an independent service operated by the Globus team for those users that choose not to use their organization’s login to access Globus (and for users whose institutional identity provider is not yet supported by the Globus service). A Globus ID is not required to use Globus - you are encouraged to access the access the service using your institutional username and password.
Globus ID was introduced so that we can continue to support Globus usernames/passwords for those users that registered for a Globus account prior to February 13, 2016. For example, if you had previously created the Globus username "auser", you can log into Globus as firstname.lastname@example.org with your existing Globus password.
What is my Globus account?
Your Globus account is the set of linked identities that you have used to log into Globus. Click here to see the set of identities for your Globus account.
We’ve moved Globus username/passwords created prior to February 13, 2016 into an independent service called Globus ID (globusid.org). Your Globus account can include a Globus ID as a linked identity, but this is not required.
Why should I link accounts?
Globus allows users to link their many identities (e.g., university login, facility logins, Google, Globus ID) into a single Globus account. This allows the user to have a single account to manage their resources across these multiple identities. For example, a user with a University of Chicago account, might also have XSEDE account. By linking those together into a single Globus account, use of services such as Globus transfer and groups using either identity is consolidated under that single Globus account.
How do I get my organization added as an option to log into Globus?
If your organization is part of the InCommon Federation, the administrator of your campus identity system can configure it to work with Globus. Globus supports logins from InCommon members whose identity systems release Research & Scholarship attributes.
Please send the following information to your IT administrator: "To setup your Identity Provider for use with Globus, please see this FAQ. If your identity provider is listed in CILogon, but not in Globus, please ensure that Research and Scholarship attributes are released to CILogon as described here. You can confirm that your institution is releasing Research and Scholarship attributes by visiting here. Once your organization’s system is configured to release the required attributes, it will appear in the list of institutions on the Globus login page within two business days and can be selected by your users."
If your organization is not part of the InCommon Federation, you can request to add your organizational login as an alternate identity provider in Globus. Your system must support the OpenID Connect protocol, and be registered with Globus as a trusted identity provider. Please submit this form so we can register your system. Once the request is vetted and approved, your identity provider will be available as an option for login.
How do I know if I am using Globus Nexus within my application?
If you are making calls to any URL that starts with the following, you are using Nexus and will need to move to Globus Auth:
https://www.globus.org/service/nexus https://www.globus.org/service/graph https://nexus.api.globusonline.org https://graph.api.globusonline.org
If you use either of these headers for authentication to Globus services (Nexus or Transfer), you will need to move to Globus Auth:
Authorization: Globus-Goauthtoken <access_token> X-Globus-Goauthtoken <access_token>
What is the equivalent capability in Globus Auth for use of Globus Nexus?
If you are using three legged OAuth with Globus Nexus (redirecting user to
/goauth/authorize), then you can use the confidential client flow described in https://docs.globus.org/api/auth/developer-guide/#developing-apps.
If you are using two legged OAuth with Globus Nexus (usign API
/goauth/token with grant_type=client_credentials), then you can use the Non-confidential or native application flow described in https://docs.globus.org/api/auth/developer-guide/#developing-apps.