Federated OIDC (Single Sign-On) Reference Architecture

This document provides a reference architecture when an existing institutional OIDC is integrated to provide Single-Sign-On across all of Globus.

Reference Architecture

auth flow 2022 federated

  • The institutional identity provider is registered by Globus as an identity provider to allow login across all of the Globus applications

  • The source and/or destination Globus Connect Server instances are configured by an administrator to require a login from a specific domain within a given timeframe

    • Information on how to set the authentication requirements can be found in Globus Connect Server installation documentation under Authentication Policies

    • Note that the OIDC server is registered as an identity provider for use with this collection, but not for logging into Globus

  • PAM is used for local user authentication on the Globus Connect Server instances, which can be redirected to other services such as LDAP, RADIUS, or Kerberos. This is configured by the administrator of the endpoint.

Next Steps

Definitions

  • Collection: Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS. A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration information

  • Endpoint: Storage connected to the Globus service via Globus Connect Server or Globus Connect Personal. An endpoint has a logical name that points to the physical data movement servers and is associated with identity services. Endpoints contain one or more collections

  • Globus or Globus service: The Globus software as a service, operated by University of Chicago, hosted on Amazon Web Services

  • Globus Auth: The Globus Authentication service

  • Globus OIDC Server: OIDC server that can be installed as part of an endpoint for PAM-based authentication

  • Globus Connect Server: Administrator installed multi-user server that has a data movement and identity service components

  • GlobusID: A free identity provider operated by Globus

  • GridFTP server: Data movement component of Globus Connect Server that uses the high performance GridFTP protocol

  • Globus OIDC Server: Identity component of Globus Connect Server that can be used to authenticate users through PAM

  • Identity set: Set of identities that a user has linked together in Globus

  • Linux PAM: Linux Pluggable Authentication Module (PAM) is a suite of libraries for Linux user authentication

  • OAuth: A widely-used standard for access delegation, more information can be found at http://oauth.net/