XSEDE is doing an OOD pilot exploring: 1) whether it is feasible to have a central OOD portal that can access multiple XSEDE federated resources, and 2) we can develop XSEDE specific apps that can run on a central OOD portal or on SP specific OOD portals. A few XSEDE federated service providers are using local OOD portals, but many are not.
An initial set of features we are interested in:
Ability to verify/enforce that the OAuth token after IdP login contains required claims:
1.1) That a specific IdP claim was used (eg XSEDE IdP)
1.2) That MFA was used to authenticate with that IdP
Securely store/pass OAuth tokens/credentials to the PUN for use by applications (including ssh)
Ability to configure and obtain additional OAuth tokens containing custom claims required by applications (including ssh), and to store them per 2) for re-use.
3.1) Each federated clusters accessed via SSH shell should accept identities from the IdP used to login to OOD but may require custom OAuth scopes
3.2) Each federated cluster and application combination may also require custom OAuth scopes
Documentation/support for configuring which application can run on which clusters
Documentation/support for users selecting which configured cluster an application should run on
Documentation/support for configuring an SSH-FS method of mounting a cluster specific home file-system as needed on the OOD portal
NOTE for 1.1: Apache mod_auth_openidc probably supports this via the “Require claim …” configuration directive
NOTE for 1: Both claims would be verified by OOD after successful IdP login and cause
OOD login to fail if verification failed. In the future when Oath supports it, OOD would pass these
requirements to OAuth for it to enforce.