- How can I access Globus services using a command line interface?
- Does Globus need credentials when accessing my system? Does it store these permanently?
- How does Globus ensure my data is secure?
- How does Globus use my Google account?
- How do I stop Globus from automatically authenticating using my Google account?
- Which method should I use to sign in to Globus?
- What authentication methods does Globus support?
- Does Globus support one-time passwords (OTP)?
- How does Globus work with XSEDE security infrastructure?
- How can I delete my Globus account?
- Why am I sometimes asked to login again when accessing certain Globus collections?
- Is there an independent assessment of Globus security?
- What is Globus ID?
- What is my Globus account?
- Why should I link accounts?
- How do I get my organization added as an option to log into Globus?
Globus CLI is a standalone application that provides a command line interface to Globus services, both the Transfer and Auth services. More information on the CLI is available here.
Globus uses only temporary credentials to act on your behalf when making a transfer request, and never keeps your password nor long-term credentials to access a site.
Globus uses a "data channel" for moving data between two endpoints. This data channel is established directly between the source and destination endpoints and cannot be accessed by Globus, only by the GridFTP servers running on the endpoints.
By default the data channel is authenticated, but unencrypted. It can be encrypted by selecting the "encrypt transfer" option on the File Manager page (see screenshot below), or by including the
—encrypt option for the transfer command when using the command line interface. You should be aware that encryption adds processing overhead, and will likely reduce transfer speed. Encrypted transfers use the SSL cipher configured on the endpoints (the default for OpenSSL is AES256-SHA).
In addition to the data channel, Globus uses a "control channel" to communicate with the source and destination endpoints for a transfer. All control channel communications are encrypted.
You can use your Google identity to log into Globus. Select Google as an option from the organizations listed on the Globus login page, and sign in with your Google account. If you have previously logged into Globus using another identity (e.g. your campus username), Globus will give you the option to link it with your Google identity under a single Globus account. If you choose to link, you can use any of your linked identities to access Globus. You can choose not to link and keep your Google identity as a separate Globus account. You can manage your linked identities on the Globus Account page.
Visit this link on Google (you may be prompted to login using your Google account). You will see a list of websites for which you have authorized access to your Google account. Select the Globus entry and click the "Remove" button. Your Google account will no longer be used by Globus. If you try to login to Globus with your Google account, you will be asked to re-confirm that Globus may use your Google account.
You can use a username and password from any organization that is recognized (and trusted) by the Globus service. Select your preferred organization from the list on the Globus login page, and you will be redirected to your organization’s login page to provide your credentials. If you don’t see your organization listed or would like to create a separate account, you can use Google or Globus ID to sign into Globus.
If you are an existing Globus user and have previously logged in using a Globus username and password, that option is now the Globus ID. We’ve moved Globus username/passwords created prior to February 13, 2016 into an independent service called Globus ID (globusid.org). Your Globus account can include a Globus ID as a linked identity, but this is not required.
Globus supports multiple authentication methods, including username/password (our default method), MyProxy, MyProxy with OAuth, OpenID (using a Google account) and InCommon. In all instances, you are first required to set up a Globus account (username/password) and then can associate additional identities with your Globus account. You will subsequently be able to sign in to Globus using any of the identities mapped to your account.
Yes, one-time passwords work with Globus and do not require any specialized configuration. To access a site that requires an OTP, simply enter your password and token as you would normally when prompted by the site’s login page.
From the perspective of XSEDE, Globus looks like a science gateway that uses user-specific credentials to access resources on behalf of the user, instead of using community credentials. Globus uses the MyProxy OAuth server provided by XSEDE to get a user’s short term X.509 certificate, without requiring the user’s password to flow through Globus.
When a user chooses to activate an XSEDE endpoint, they are redirected to the XSEDE MyProxy OAuth server, where they are prompted to log in using their XSEDE credential (username/password). Once they have authenticated, they are automatically redirected to the Globus page and the activation is completed. Globus only receives a short-term X.509 certificate from the MyProxy server, and never sees the user’s username and password.
If the user is using the Globus command line interface, the activation of an XSEDE endpoint prints a URL for them to use to complete the activation. Once the user browses to the URL, the flow is similar to the one described when using the Globus website.
Please complete the steps below and then send email to email@example.com requesting that your account be deleted:
Remove yourself from all Globus groups.
Delete your Globus endpoints, including all shared endpoints that you created (note that users to whom you granted access to a shared endpoint will no longer be able to access the files on that endpoint).
Delete your Globus endpoint bookmarks.
Unlink any other accounts:
Go to your Account page
Click on Manage Your Identities
Click X for each identity
Remove your consents:
Go to your Account page
Click on Manage Your Consents
Click X for each consent
For high-assurance guest collections, users have to authenticate with the identity that grants them access within their current browser session for data access and managing permissions. For example, say a user had
firstname.lastname@example.org as linked identities, and the data was shared with
email@example.com. If the user logged in to the application using
firstname.lastname@example.org, they would be prompted to authenticate with
email@example.com within the session for data access. The user will also be prompted to log in again with
firstname.lastname@example.org when the session timeout value configured on the collection has been reached.
Multiple organizations have conducted Globus security reviews. Their findings and our responses are documented here.
Globus ID provides and manages identities (usernames and passwords) for use with the Globus service. It is an independent service operated by the Globus team for those users that choose not to use their organization’s login to access Globus (and for users whose institutional identity provider is not yet supported by the Globus service). A Globus ID is not required to use Globus - you are encouraged to access the service using your institutional username and password.
Globus ID was introduced so that we can continue to support Globus usernames/passwords for those users that registered for a Globus account prior to February 13, 2016. For example, if you had previously created the Globus username "auser", you can log into Globus as email@example.com with your existing Globus password.
Your Globus account is the set of linked identities that you have used to log into Globus. Click here to see the set of identities for your Globus account.
We’ve moved Globus username/passwords created prior to February 13, 2016 into an independent service called Globus ID (globusid.org). Your Globus account can include a Globus ID as a linked identity, but this is not required.
Globus allows users to link their many identities (e.g., university login, facility logins, Google, Globus ID) into a single Globus account. This allows the user to have a single account to manage their resources across these multiple identities. For example, a user with a University of Chicago account, might also have XSEDE account. By linking those together into a single Globus account, use of services such as Globus transfer and groups using either identity is consolidated under that single Globus account.
If your organization is part of the InCommon Federation, the administrator of your campus identity system can configure it to work with Globus. Globus supports logins from InCommon members whose identity systems release Research & Scholarship attributes.
Please send the following information to your IT administrator: "To setup your Identity Provider for use with Globus, please see this FAQ. If your identity provider is listed in CILogon, but not in Globus, please ensure that Research and Scholarship attributes are released to CILogon as described here. You can confirm that your institution is releasing Research and Scholarship attributes by visiting here. Once your organization’s system is configured to release the required attributes, it will appear in the list of institutions on the Globus login page within two business days and can be selected by your users."
It is required for an organization to release the full Research and Scholarship attribute bundle for that organization to be automatically detected and added as a Globus login option. It is also possible for organizations which have a Globus Subscription, and that release at least the ePPN and ePTID, to be added manually. In such a case, the organization will need to submit a request with Globus Support asking for this to be done.
If your organization is not part of the InCommon Federation, you can request to add your organizational login as an alternate identity provider in Globus. Your system must support the OpenID Connect protocol, and be registered with Globus as a trusted identity provider. Please submit this form so we can register your system. Once the request is vetted and approved, your identity provider will be available as an option for login.