Guides
  • Guides
  • Tutorials
    • File Management
    • Manage Identities
    • Storage Connectors
    • Automation with Flows
  • Overviews & Concepts
    • Clients, Scopes, and Consents
    • Collections and Endpoints
    • Globus Auth Requirements Errors (GAREs)
    • High Assurance Collections for Protected Data
    • Security Overview
  • Recipes & Manuals
    • Automating Transfer and Share of Data from Instruments
    • Automation with Service Accounts
    • GCS Apache Reverse Proxy
    • GCS Default VirtualHost
    • Monitoring Globus Connect Server
    • MRDP
    • Require a Flow for Data Movement
    • Use Globus Preview
Skip to main content
Globus Docs
  • Getting Started
    Getting Started

    Getting Started and Tutorial docs cover how to perform some activity or provide an introduction to a feature. They are not comprehensive, but help you get started with Globus or with new Globus features.

    • Users
    • Admins
    • Developers
  • Reference
    Reference
    • Service
      • Auth
      • Groups
      • Transfer
      • Timers
      • Flows
      • Compute
      • Search
    • Agents
      • Globus Connect Server
      • GCS CLI
      • Globus Connect Personal
      • Globus Compute
    • SDK
      • Python
      • JS
    • Clients
      • CLI
    • Security and Compliance
      • Product Security
      • Privacy
      • Solutions for Sensitive Data
      • FAQs
  • Solutions & Guides
    Solutions & Guides

    Find practical approaches for leveraging Globus in research environments, integrating with platforms, and building science gateways. Access hands-on guides, integration instructions, and real-world scenarios for advanced usage.

    • Portals/Science Gateways
    • Guides
  • Support
    Support

    Find answers to frequently asked questions, connect with the community by joining our mailing lists, or reach out directly to Globus support.

    • FAQs
    • Mailing Lists
    • Contact Us
    • Check Support Tickets
  • Site Search
  1. Home
  2. Guides
  3. Overviews & Concepts
  4. Security Overview
  5. Federated OIDC (Single Sign-On) Reference Architecture

Federated OIDC (Single Sign-On) Reference Architecture

This document provides a reference architecture when an existing institutional OIDC is integrated to provide Single-Sign-On across all of Globus.

Reference Architecture

auth flow 2022 federated
  • The institutional identity provider is registered by Globus as an identity provider to allow login across all of the Globus applications

  • The source and/or destination Globus Connect Server instances are configured by an administrator to require a login from a specific domain within a given timeframe

    • Information on how to set the authentication requirements can be found in Globus Connect Server installation documentation under Authentication Policies

    • Note that the OIDC server is registered as an identity provider for use with this collection, but not for logging into Globus

  • PAM is used for local user authentication on the Globus Connect Server instances, which can be redirected to other services such as LDAP, RADIUS, or Kerberos. This is configured by the administrator of the endpoint.

Next Steps

  • Globus will perform the registration and the integration of your identity provider, simply complete the Alternate Identity provider form here

  • Configure the Globus Connect Server identity provider requirement using the --domain option on the storage gateway Authentication Policies

Definitions

  • Collection: Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS. A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration information

  • Endpoint: Storage connected to the Globus service via Globus Connect Server or Globus Connect Personal. An endpoint has a logical name that points to the physical data movement servers and is associated with identity services. Endpoints contain one or more collections

  • Globus or Globus service: The Globus software as a service, operated by University of Chicago, hosted on Amazon Web Services

  • Globus Auth: The Globus Authentication service

  • Globus OIDC Server: OIDC server that can be installed as part of an endpoint for PAM-based authentication

  • Globus Connect Server: Administrator installed multi-user server that has a data movement and identity service components

  • GlobusID: A free identity provider operated by Globus

  • GridFTP server: Data movement component of Globus Connect Server that uses the high performance GridFTP protocol

  • Globus OIDC Server: Identity component of Globus Connect Server that can be used to authenticate users through PAM

  • Identity set: Set of identities that a user has linked together in Globus

  • Linux PAM: Linux Pluggable Authentication Module (PAM) is a suite of libraries for Linux user authentication

  • OAuth: A widely-used standard for access delegation, more information can be found at http://oauth.net/

  • Guides
  • Tutorials
    • File Management
    • Manage Identities
    • Storage Connectors
    • Automation with Flows
  • Overviews & Concepts
    • Clients, Scopes, and Consents
    • Collections and Endpoints
    • Globus Auth Requirements Errors (GAREs)
    • High Assurance Collections for Protected Data
    • Security Overview
  • Recipes & Manuals
    • Automating Transfer and Share of Data from Instruments
    • Automation with Service Accounts
    • GCS Apache Reverse Proxy
    • GCS Default VirtualHost
    • Monitoring Globus Connect Server
    • MRDP
    • Require a Flow for Data Movement
    • Use Globus Preview
© 2010- The University of Chicago Legal Privacy Accessibility