XSEDE OOD Pilot and features of interest

XSEDE is doing an OOD pilot exploring: 1) whether it is feasible to have a central OOD portal that can access multiple XSEDE federated resources, and 2) we can develop XSEDE specific apps that can run on a central OOD portal or on SP specific OOD portals. A few XSEDE federated service providers are using local OOD portals, but many are not.

An initial set of features we are interested in:

  1. Ability to verify/enforce that the OAuth token after IdP login contains required claims:
    1.1) That a specific IdP claim was used (eg XSEDE IdP)
    1.2) That MFA was used to authenticate with that IdP

  2. Securely store/pass OAuth tokens/credentials to the PUN for use by applications (including ssh)

  3. Ability to configure and obtain additional OAuth tokens containing custom claims required by applications (including ssh), and to store them per 2) for re-use.
    3.1) Each federated clusters accessed via SSH shell should accept identities from the IdP used to login to OOD but may require custom OAuth scopes
    3.2) Each federated cluster and application combination may also require custom OAuth scopes

  4. Documentation/support for configuring which application can run on which clusters
    Documentation/support for users selecting which configured cluster an application should run on

  5. Documentation/support for configuring an SSH-FS method of mounting a cluster specific home file-system as needed on the OOD portal

NOTE for 1.1: Apache mod_auth_openidc probably supports this via the “Require claim …” configuration directive

NOTE for 1: Both claims would be verified by OOD after successful IdP login and cause
OOD login to fail if verification failed. In the future when Oath supports it, OOD would pass these
requirements to OAuth for it to enforce.