Identity Provider Integration

Last Updated: April 20, 2022

Globus provides a variety of ways to integrate your identity provider into the Globus ecosystem.

This document discusses methods for customizing collection authentication as well as supporting Single Sign-On to use your identity provider across all of Globus.

Identity Provider Integration Options

Use a GCS Globus OIDC server for accessing collections Integrate an existing OIDC server for accessing collections Integrate an existing OIDC server as a Federated Identity Provider or Alternate Identity Provider (Single Sign-On)
auth flow 2022 OIDC
auth flow 2022 institutional OIDC
auth flow 2022 federated

This option allows you to install an OIDC server as part of your Globus Connect Endpoint.

The identity provider is only used for collection access and identities are authenticated against local Linux PAM accounts.

OIDC server is provided by Globus and is integrated into the Globus Connect Server endpoint.

This option allows you to use an existing OIDC server.

The identity provider is only used for collection access and identities are authenticated against the institutional OIDC server.

This option is the same as above but integrates the existing OIDC server into the complete Globus ecosystem.

The identity provider is available across all of Globus services as well as for accessing collections.

This is recommended if you want to use an existing identity provider for Single Sign-on across the Globus services as well as for managing access to collections.

  • Authentication process is configured through PAM on the Globus Connect Server nodes

  • Access and share data data with these identities

  • OIDC server is integrated into the Globus Connect Server for easy deployment

  • Authentication is through the existing OIDC server

  • Access and share data data with these identities

  • OIDC server is independent of Globus Connect Server endpoint and deployed by the institution.

  • Authentication is through either (a) a federated identity provider (via InCommon, eduGAIN, or providers like Google, ORCID) or (b) an institutional OIDC server (i.e., an Identity Provider operated by an institution and added to Globus ecosystem as alternate identity provider).

  • Access and share data with these identities.

  • Identity provider deployment is independent of Globus Connect Server endpoint

  • A single identity is used to access all of Globus services and to access and share data (Single Sign-On)

  • Identities may be used to log into Globus, access third-party services, such as science gateways, data analysis portals, and research data repositories

  • Identity provider integration managed by Globus

Read the GCSv5 Getting Started documentation to set up the Globus OIDC server on your Globus Connect Server endpoint.

Use the GCSv5 OIDC Register command to register the existing OIDC server with your Globus Connect Server instance.

Register your alternate identity provider here.

Next Steps

Each option is discussed in further detail in the following articles:

To learn how Globus provides end-to-end security for your data:

Definitions

  • Alternate Identity Provider: An OIDC server operated by an institution that has been integrated with Globus Auth. Such identity providers are listed as an option to log into Globus, and can be used to authenticate to all services in the Globus ecosystem (Globus provided or third party).

  • Collection: Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS. A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration information

  • Endpoint: Storage systems connected to the Globus service via Globus Connect Server or Globus Connect Personal. An endpoint has a logical name that points to the physical data movement servers and is associated with identity services. Endpoints contain one or more collections

  • Federated Identity Providers: Identity Providers that are part of InCommon or eduGAIN and integrated with Globus Auth via CILogon.

  • Globus or Globus service: The Globus software as a service, operated by University of Chicago, hosted on Amazon Web Services

  • Globus Auth: The Globus Authentication service

  • Globus Connect Server: Administrator installed multi-user server that has a data movement and identity service components

  • Globus ID: An Identity provider of last resort operated by Globus

  • GridFTP server: Data movement component of Globus Connect Server that uses the high performance GridFTP protocol

  • Globus distributed OIDC Server: (Collection access only) Included as part of the identity component of Globus Connect Server, this is a Globus distributed OIDC server that allows for connecting to other authentication systems via a PAM module plug-in.

  • Institution operated OIDC Server: Institution operated OIDC server, using either Globus distributed OIDC server or other OIDC stack. Thesecan be registered with Globus Auth either as an Alternate Identity Provider for complete Globus access, or configured for collection access only.

  • Identity set: Set of identities that a user has linked together in Globus

  • Linux PAM: Linux Pluggable Authentication Module (PAM) is a suite of libraries for Linux user authentication

  • OAuth: A widely-used standard for access delegation, more information can be found at http://oauth.net/